Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b3940195da119bb4…

MALICIOUS

Office (OOXML) / .DOC

90.3 KB Created: 2025-02-11 05:56:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 603340aa73f7808a2ea2f27dd6dad439 SHA-1: be01c8b13b6d5b80559718497b6706953f488bdf SHA-256: b3940195da119bb4ee9bf7b5b784e3d9ed692d9c4d7eccb5b0029e7c8ae87a1d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The OOXML document contains heuristics indicating remote template injection and external relationships, suggesting it's designed to fetch and execute content from an external source. The presence of embedded EMF files could be part of the lure or payload delivery mechanism. The primary IOC is the URL associated with the remote template.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://woki.me/4ZQ2B) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://woki.me/4ZQ2B
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
f375ef837181f05750b2046b9a81447ab22709d97d262b6b61753c013694ddeb		 ooxml-emf OOXML EMF part: word/media/image2.emf 76824 bytes
emf_01.emf
9923cb4bf7a5fbb9c22512a2431582df95a92f67868ff26cbc80bfecbb667db7		 ooxml-emf OOXML EMF part: word/media/image1.emf 250880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.