Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 a0c87c23ec859ec9…

MALICIOUS

Office (OOXML) / .DOC

755.6 KB Created: 2024-10-01 07:12:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: a74c9a9313cf747f7d16e19977be8cd5 SHA-1: 7459bc93deb42c7d9851f4ff7ba28f4f19f6d159 SHA-256: a0c87c23ec859ec9a3a5a2aab3f42767c577e639c30ba93f84e22edfe5c2791e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The OOXML document exhibits characteristics of malicious intent through remote template injection and the presence of embedded OLE objects. The heuristic 'OOXML_REMOTE_TEMPLATE' firing with the URL 'https://dealc.me/HFFx2i' strongly suggests an attempt to load external malicious content. The embedded OLE objects further indicate a potential for exploiting vulnerabilities or delivering secondary payloads. The document body was truncated, limiting further analysis of its direct content.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://dealc.me/HFFx2i) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://dealc.me/HFFx2i
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-co

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f283854ee324ea2b5e0ecacfe534837f2f5906ca143fedd2039e5ee79649e4d4		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1565696 bytes
ooxml_oleobject_01.bin
7fa9574e85aa6b419474eb9b1b9d8ce63b812d407e4b63f6de4fed0f8870f2f7		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 1734144 bytes
emf_00.emf
74aed0236c0ef9f9c46f0b89f9a697d423b7891f7b9e5650ff376a6a99e01473		 ooxml-emf OOXML EMF part: word/media/image2.emf 1500652 bytes
emf_01.emf
a00a60b97eb3c6094348f3ab4a598171f119b6635e378e59d8063c4c41da28ec		 ooxml-emf OOXML EMF part: word/media/image1.emf 318964 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.