Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 900b70b133bc3ac2…

MALICIOUS

Office (OOXML) / .DOC

137.5 KB Created: 2025-08-14 08:06:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 10814538060fc5213988a02fece62d10 SHA-1: 94ef033c9da965f85ab5edc422bf18167254911f SHA-256: 900b70b133bc3ac236e8e2317d8187fc620c977de191b7c172ec97f8b25c22a2
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample exhibits high-confidence indicators of remote template injection and external relationship abuse, pointing towards a malicious OOXML document. The embedded OLE object and EMF file are likely components of the exploit or payload delivery. The primary IOC is the URL associated with the remote template injection, which is highly suspicious and likely serves as the initial download source for a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://nicefeaturesbetterservicewithgreat_______wefeelbestandgoodserv.giFFnF=@shorten.website/toY5DQ?&forearm) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://nicefeaturesbetterservicewithgreat_______wefeelbestandgoodserv.giFFnF=@shorten.website/toY5DQ?&forearm
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatib

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
67b05af2bae6f5d681fbff69dd0cbcd22f63c1ef20b26f5ef4ed1db518abcce1		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Word_97_-_2003_Document1.doc 186880 bytes
emf_00.emf
0566dc97c8ed009ec2f5a7bd29a365bcaa9dcbb885353afb147d49eabf72aeac		 ooxml-emf OOXML EMF part: word/media/image1.emf 161440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.