Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 8c3829f349598dc3…

MALICIOUS

Office (OOXML) / .DOC

350.5 KB Created: 2023-08-16 01:11:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-10-26
MD5: 92ebf9ad78bc38722f519e67cc067528 SHA-1: db60680dc09c3b6e265e2f62ca6a081ba5d0f3f0 SHA-256: 8c3829f349598dc37abc0e36286dda33fbba89689b07a92c6ea82d95be3ac567
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1059 Command and Scripting Interpreter T1566 Phishing

The document contains heuristics indicating remote template injection and an external relationship, pointing to the URL http://toss.is/64*s4pM. This suggests the document is designed to lure the user into downloading and executing a malicious payload from this external source. The presence of embedded OLE objects further supports the malicious intent.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://toss.is/64*s4pM) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://toss.is/64*s4pM
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://toss.is/64*s4pM
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
59881e873b4e6f07375a6bc4764b1f8a24d4e947bd1e8cc782a1eab864752b14		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 78336 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
def386984b880f878200d5241dda8569d9c57f119836a793eeee27a275aa55a9		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 7881 bytes
emf_00.emf
1ab8f5abd845ffd0c61a61bb09bfcf20569b80b4496bccb58c623753cf40485c		 ooxml-emf OOXML EMF part: word/media/image1.emf 4056 bytes
emf_01.emf
12c8d665ee69f88da2109ad63983811816b7323f11a231c00f46420a01c7c85f		 ooxml-emf OOXML EMF part: word/media/image3.emf 1504016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.