MALICIOUS
62
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1559 Component Object Model Hijacking
The OOXML document contains heuristics indicating remote template injection and external relationship manipulation, both pointing to the loading of external content. The primary suspicious URL identified is https://emojied.net/😂😡🙂🙊😧🙂, which is likely used to deliver a malicious payload. No scripts were extracted, and the document body was minimal, making the analysis reliant on the OOXML structure and embedded URLs.
Heuristics 3
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://emojied.net/😂😡🙂🙊😧🙂) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: https://emojied.net/😂😡🙂🙊😧🙂
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://emojied.net/😂😡🙂🙊😧🙂
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Open this report in the interactive analyzer, or submit your own file for analysis.