Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b39cc1ce2d546ee6…

MALICIOUS

Office (OOXML) / .DOC

84.9 KB Created: 2024-08-07 00:30:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: e8eeca2b17300555ce982ae3368ea55e SHA-1: 18b108ab1f73ef5e7ff61a2d3e0235976e412081 SHA-256: b39cc1ce2d546ee6683e73264aaf094f4dd0ddae3b77bba5e3c0384523e66110
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The OOXML document contains heuristics indicating remote template injection and external relationships, both pointing to the URL https://urlty.co/TtzpZ. This suggests the document is designed to download and execute content from this external source. No scripts were extracted, but the presence of embedded EMF files and the remote template injection heuristic strongly indicate a malicious intent to load external resources.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://urlty.co/TtzpZ) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://urlty.co/TtzpZ
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
6f6e805c9473d6b4c0aec3b082cbc7e782b6c56a4d0048ef5902bb3ed8a8965c		 ooxml-emf OOXML EMF part: word/media/image2.emf 80632 bytes
emf_01.emf
68fad6de3072d05d096326588a2d933eacdfa3bbd8369f48c73d8021ca3edee2		 ooxml-emf OOXML EMF part: word/media/image1.emf 39300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.