Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b74bbed109e630f6…

MALICIOUS

Office (OOXML) / .DOC

93.7 KB Created: 2024-07-19 01:41:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: b75bd88d4f4f2a7a5e77a4109d55c6ea SHA-1: 064c35b26c31413319d938fbc6ebaa3c4c85392e SHA-256: b74bbed109e630f69004a7372b4271fad04ace2cea48e99d730401738ee47deb
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Loda-7570590-0. It utilizes a remote template injection and external relationship, pointing to 'https://darpexllc.top/milli.doc'. The document body contains a list of industrial parts, serving as a lure to trick users into enabling macros or editing, which is a common technique for malware droppers. The primary attack vector appears to be social engineering to facilitate the download of a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://darpexllc.top/milli.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://darpexllc.top/milli.doc
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.