Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 926a947ea2b59d3e…

MALICIOUS

Office (OOXML) / .DOCX

135.5 KB
MD5: 476027afdbf18c18e076fff71a8ef588 SHA-1: 986de6bc24a480f6d0ab631f21bd5f38d70490d9 SHA-256: 926a947ea2b59d3e9a5a6875b4de2bd071b15260370f4da5e2a60ece3517a32f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample is a DOCX file that utilizes remote template injection and external relationships to point to a malicious URL. This suggests an attempt to trick the user into downloading and executing a malicious template from the provided URL, likely leading to further compromise.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ms-offices.com/templates-for-word/download?id=TYV6YAYWOPEKI61Y) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://ms-offices.com/templates-for-word/download?id=TYV6YAYWOPEKI61Y
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word\_rels\settings.xml.rels: https://ms-offices.com/templates-for-word/download?id=TYV6YAYWOPEKI61Y
    URL https://ms-offices.com/templates-for-word/download?id=TYV6YAYWOPEKI61Y

Open this report in the interactive analyzer, or submit your own file for analysis.