Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 a91decdd65e45f46…

MALICIOUS

Office (OOXML) / .DOC

770.0 KB Created: 2024-09-30 08:11:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: cde646bbf76aa0cb430f71ec2408b4bd SHA-1: 40fbea905916fc49bfcaf203b3b15e78d9053df5 SHA-256: a91decdd65e45f46a226097d1331b51002c3c6120c5a2afdb7d29c5973166ce5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The document exhibits characteristics of a malicious OOXML file, specifically triggering heuristics for remote template injection and external relationships. The presence of embedded OLE objects further suggests malicious intent. The primary IOC is the URL associated with the remote template, which is likely used to deliver a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://og1.in/S7UYq0) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://og1.in/S7UYq0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/marku

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8323f7e411a6d2cc902252f7dd29f16ddeec18e785d64c58f8b38d1c0377f056		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 1734144 bytes
ooxml_oleobject_01.bin
aaeaeddaf37c9137ded7e00b8596c71c13a0f73b3491df56ff3003e2c76be509		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet2.xls 111104 bytes
emf_00.emf
6e7bb9f3d39b5a50fa8fd08b066b0a92001beaeae96c9fcbfdb5bcfb9f0f6c20		 ooxml-emf OOXML EMF part: word/media/image4.emf 134544 bytes
emf_01.emf
611408fc701324b9ee55de35ef19aa58103007691865e3900ec6e03bde70f0c9		 ooxml-emf OOXML EMF part: word/media/image3.emf 66768 bytes
emf_02.emf
420c08455abff24376b505bc34ee9021a10c5bf5285d3fd038778409ec78b67c		 ooxml-emf OOXML EMF part: word/media/image1.emf 318964 bytes
emf_03.emf
c81de0eec367cc4fddadc14b92ea89be12c856acd249d45f93fcd69a8d50fd79		 ooxml-emf OOXML EMF part: word/media/image2.emf 213168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.