Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 aec21a0110a85fec…

MALICIOUS

Office (OOXML) / .DOC

303.8 KB Created: 2024-10-10 15:54:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: d5bf6725f21d86b1c51658c44d848ce8 SHA-1: 767105dd3659aea3823a1ad68687fffac6764d26 SHA-256: aec21a0110a85feca0f2a823a781f558c79fe1426d06d7754a2048b3c5cee692
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. The embedded URL points to a suspicious resource that is likely used to fetch and execute a secondary payload. The presence of an embedded OLE object further supports the malicious nature of the document.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://rdt.li/JTGT0W?&decade=spectacular&waterspout=great&keystone=breezy&pressroom=accidental&curl=purple&criminal=sneaky&encyclopedia=ski) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://rdt.li/JTGT0W?&decade=spectacular&waterspout=great&keystone=breezy&pressroom=accidental&curl=purple&criminal=sne
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8a6c824e85c9db497d73c13c466de01e417e7878931a0bd27c7cbb07018f5ff7		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 187904 bytes
emf_00.emf
f342cf7bfc8622b1abb64e960018ce879816aa5a551c3e37fe9b23e4a51c1d9e		 ooxml-emf OOXML EMF part: word/media/image3.emf 187044 bytes
emf_01.emf
ab9bee8e92ef5bf84a924ccce3a8450990d88d766b1d2da8b4c76075e71f9f66		 ooxml-emf OOXML EMF part: word/media/image1.emf 50496 bytes
emf_02.emf
e784e292bb2e8fc8bdbb0efa17d86eefa977ff1a95f1c63019c3a1d26688a8e7		 ooxml-emf OOXML EMF part: word/media/image2.emf 96712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.