Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a0b2480a1eb4e0ad…

MALICIOUS

Office (OOXML)

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2026-06-05
MD5: 41456189c39549fb01583ba4d8e3a5ad SHA-1: ccc5651034288364182c55ec76030ea4f22f8956 SHA-256: a0b2480a1eb4e0ad26f53b6dbda72e98783ad3c2caac258a316791f87374c8ea
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a downloader signature. Heuristics indicate remote template injection and external relationships pointing to the URL https://longurl.in/hZzk, suggesting the document is designed to fetch and execute a secondary payload. The document body contains minimal readable text, providing no further context on the lure.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://longurl.in/hZzk) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: https://longurl.in/hZzk
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://longurl.in/hZzk Remote template reference
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.