Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b3271e36ea8024a4…

MALICIOUS

Office (OOXML) / .DOC

193.4 KB Created: 2024-09-04 15:50:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 7004e591b7172cda80209756a7571cb2 SHA-1: 69ee05d5bcf5b683c5c03059f2847d6e4615b39d SHA-256: b3271e36ea8024a4ca410e8dfaa376ca0214400087b1025ce2567cdc0a15cab3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The document contains heuristics indicating remote template injection and an external relationship, suggesting it is designed to pull content from an external source. The embedded OLE object and the suspicious URL associated with the remote template injection are key indicators of malicious intent. The primary attack vector appears to be tricking the user into accessing a remote resource that likely leads to further compromise.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ubal.do/zhn79G) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://ubal.do/zhn79G
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
087ac184ad87f30597e2cbc4011fb87a72ee67c9a0944ec66ab6af42ed4d1bb0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 71680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
emf_00.emf
ff101209eb1330baae7762edf0e2071f6d7ee28b16c971323402ac18b39f398c		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.