MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file exhibits characteristics of a malicious document, specifically triggering heuristics for remote template injection and external relationships. The ClamAV detection further supports its malicious nature. The embedded URL, although marked as confirmed benign in this context, is often used in such lures. The primary attack pattern involves tricking the user into fetching a secondary payload.
Heuristics 4
-
ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://is.gd/du7JJm) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.URL https://is.gd/du7JJm
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/webSettings.xml.rels: https://is.gd/du7JJmURL https://is.gd/du7JJm
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Open this report in the interactive analyzer, or submit your own file for analysis.