Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 ac63520803ce7f13…

MALICIOUS

Office (OOXML) / .DOCX

108.6 KB Created: 2015-11-19 06:08:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-21
MD5: f89c4fb64edc993604d53e5fad6585d4 SHA-1: 5bac4be57cdaabe0dd2fa3e54e4d3833fd32df43 SHA-256: ac63520803ce7f1343d4fa31588c1fef6abb0783980ad0ba613be749815c5900
144 Risk Score

Heuristics 5

  • CVE-2017-0261/0262 — EPS image filter in OOXML document critical CVE related CVE_2017_0261
    Office OOXML package embeds an EPS/PostScript media part. The Office EPS filter hosted multiple exploited memory-corruption CVEs; plain EPS content is related evidence, not enough to distinguish a specific EPS CVE.
  • CVE-2015-2545 — Office malformed EPS exploit markers critical CVE likely CVE_2015_2545
    OOXML package embeds EPS/PostScript content with dynamic execution or decode-filter markers. CVE-2015-2545 is a crafted Office EPS vulnerability; this rule requires an actual EPS media part plus exploit-style PostScript primitives rather than an EPS extension alone.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: ooxWord://word/media/image1.eps
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_eps_00.eps ooxml-eps OOXML EPS/PostScript part: word/media/image1.eps 430398 bytes
SHA-256: aa8325cfd5d74417d4eba6ddbe67d999a3ad2bb440f31fb273bfc1d9f6f8afa5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).