Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b2c137ef5a58c76d…

MALICIOUS

Office (OOXML) / .DOC

55.9 KB Created: 2025-03-26 07:12:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 118bb34bb0f1425780312e6ade73a9fa SHA-1: a085d912d4ae7c3bd3c77545f2d9af1fd79c8dad SHA-256: b2c137ef5a58c76dc6db661fc81cd160faadf817e05ebf25ac594eced1c8e5ba
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML_REMOTE_TEMPLATE heuristic indicates the document is configured to load external content from a URL, which is a common technique for delivering malicious payloads. The embedded OLE object and external relationship further support the likelihood of malicious intent. The primary IOC is the URL used for remote template injection, which is likely used to download and execute a second-stage payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://agr.my/hTzPyR?&lotion) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://agr.my/hTzPyR?&lotion
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
28d6b13e2f3b25f748e2902ecde620d04aac5bc55fe26b1207ed6578643c7a8a		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 137216 bytes
emf_00.emf
b74d91cab3d7ced9c7aed84b43e0c92e21bf295915adf1bf00998387fe6def62		 ooxml-emf OOXML EMF part: word/media/image1.emf 101692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.