Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 98af2f7c3da26547…

MALICIOUS

Office (OOXML)

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-07-07
MD5: f87c5a01448d958e79abe6f3c7ee186a SHA-1: 4d6d7d3f53b6ce9446f2b985c9ff5cdf47f9aff0 SHA-256: 98af2f7c3da265478d6efc71fccf2ce4d8991cb16bd6bc3d6a134e1aaf2860e7
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is an OOXML document that exhibits critical heuristics for remote template injection and external relationships. These indicators suggest the document is designed to fetch and execute content from a remote source, likely a malicious payload. The ClamAV detection as 'Doc.Downloader.Redline-9972754-0' further supports its role as a downloader.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://bit.ly/2Ti5ITC) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: https://bit.ly/2Ti5ITC
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • https://bit.ly/2Ti5ITCRemote template reference

Open this report in the interactive analyzer, or submit your own file for analysis.