Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 8ed8f127056d3428…

MALICIOUS

Office (OOXML) / .DOC

78.9 KB Created: 2023-11-10 01:33:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 80acdc59009519fac35bd865d9f3d693 SHA-1: c3eed32826a89e4c775ee1ff92b280dbc5f1f68e SHA-256: 8ed8f127056d342811bfbf6800c77fdfba1163d974a0881c347a53e31b604b09
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The OOXML document exhibits characteristics of malicious intent, specifically through remote template injection and the presence of an embedded OLE object. The heuristic firings indicate that the document is configured to load external resources from 'http://gf.to/lRoCbHNUo'. This suggests a delivery mechanism designed to download and execute further malicious content.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://gf.to/lRoCbHNUo) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://gf.to/lRoCbHNUo
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6fc5394e7243b54602bc76cb295dfccd7fe83fd0440e674aede8e4e9d917559e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
emf_00.emf
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.