Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 8bb98f0901316f6c…

MALICIOUS

Office (OOXML) / .DOC

11.5 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 15.0000
MD5: 5e2459e47318a305846b169d086ece68 SHA-1: 03e7ed019b38ba5f618ad041dd8b05bc92a67e4e SHA-256: 8bb98f0901316f6c2f1d8dbed338cc79f4a8c33a3a20602ba64879e8f4fab2c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file exhibits remote template injection and external relationship heuristics, indicating it attempts to load content from an external URL. ClamAV identified this as Doc.Downloader.Redline, suggesting it functions as a downloader. The primary IOC is the URL associated with these heuristics, which is likely used to fetch the secondary payload.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://hawkloger.shortcm.li/ueZ2xo) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: https://hawkloger.shortcm.li/ueZ2xo
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.