Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ab6a233f41353b78…

MALICIOUS

Office (OOXML) / .DOC

369.2 KB Created: 2024-08-09 12:55:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 86ddddd33810e007512f0229b24be0bc SHA-1: e81d9b9a0460495fec9262e6e27392a8d0ef8f27 SHA-256: ab6a233f41353b78344e40ea3facd999ab2c8a1de661195303689a8623a2fc01
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The sample exhibits characteristics of a malicious OOXML document, specifically remote template injection and the presence of an embedded OLE object. These techniques are often used to download and execute additional malicious content. The embedded OLE object is a significant indicator of malicious intent, likely serving as a dropper for further stages of the attack. The presence of an unknown reputation URL warrants further investigation.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://jamp.to/db4TnY) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://jamp.to/db4TnY
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformat
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
54c90b9b2c3ab912ec91314f899293d690b081b55636ad45a14b80ead22488b1		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1590784 bytes
emf_00.emf
6bea716fb9a6b3d4917c517ad7af02d4e1ec81f4f37c4916eee3136cc8088b90		 ooxml-emf OOXML EMF part: word/media/image3.emf 25476 bytes
emf_01.emf
a5e75f01c06154d38641587a67be5e53cde01b87cf4b8242f9e3531ded1a2e12		 ooxml-emf OOXML EMF part: word/media/image1.emf 39300 bytes
emf_02.emf
2223ffa25f96a23586a4b510de25580a87574cca91df73b098fd10fda35a56eb		 ooxml-emf OOXML EMF part: word/media/image2.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.