Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 a5c7e61a640d408f…

MALICIOUS

Office (OOXML) / .DOC

1.07 MB Created: 2024-11-10 10:28:00 UTC Authoring application: Microsoft Office Word 16.0000 First seen: 2026-05-13
MD5: 22846e8782e7e59b7cd502219b8353af SHA-1: 245cec5d65f507016f8f193bcc5039322f2f0db6 SHA-256: a5c7e61a640d408f6c9152dae9552927b64d53fba4c0faf5b8c46dcda62ed84a
82 Risk Score

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml In document text (OOXML body / shared strings)
    • https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/In document text (OOXML body / shared strings)
    • https://github.com/SigmaHQ/sigma/issues/4876In document text (OOXML body / shared strings)
    • https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/In document text (OOXML body / shared strings)
    • https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.mdIn document text (OOXML body / shared strings)
    • https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-toolingIn document text (OOXML body / shared strings)
    • https://github.com/SigmaHQ/sigma/pull/4467In document text (OOXML body / shared strings)
    • https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xmlIn document text (OOXML body / shared strings)
    • https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.mdIn document text (OOXML body / shared strings)
    • https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170eeIn document text (OOXML body / shared strings)
    • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015In document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
    • https://learn.microsoft.com/en-us/windows/win32/msi/event-loggingIn document text (OOXML body / shared strings)
    • https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.htmlIn document text (OOXML body / shared strings)
    • https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/In document text (OOXML body / shared strings)
    • https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.htmlIn document text (OOXML body / shared strings)
    • https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applockerIn document text (OOXML body / shared strings)
    • https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applockerIn document text (OOXML body / shared strings)
    • https://learn.microsoft.com/en-us/windows-In document text (OOXML body / shared strings)
    • https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/In document text (OOXML body / shared strings)
    • https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-In document text (OOXML body / shared strings)
    • https://www.cisa.gov/uscert/ncas/alerts/aa22-321aIn document text (OOXML body / shared strings)
    • https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-In document text (OOXML body / shared strings)