Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 852aaf8d0c8de9fb…

MALICIOUS

Office (OOXML) / .DOC

113.2 KB Created: 2024-09-13 10:54:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: f67eb344194039f352fc6e47e2930903 SHA-1: 159da82da8579bbcb7308f8ccec96353a0777de5 SHA-256: 852aaf8d0c8de9fbeaa2fe3bb78772ff38ea293e11abd1c135378a2bbbbcc68d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link

The OOXML document contains heuristics indicating the use of a remote template injection and an external relationship, both pointing to the URL https://topkale.me/9BYWrt. This suggests the document is designed to trick the user into accessing this external resource, which likely serves as a lure for a secondary payload download or execution.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://topkale.me/9BYWrt) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://topkale.me/9BYWrt
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://topkale.me/9BYWrt
    URL https://topkale.me/9BYWrt

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_01.emf
9677f2d74c995d3788d17214c2941936d75402af38daff5c988a3b4b5b4cfc03		 ooxml-emf OOXML EMF part: word/media/image1.emf 160276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.