Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 b92c2db67a490623…

MALICIOUS

Office (OOXML) / .DOC

118.3 KB Created: 2024-08-20 10:04:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 0a64157208fba424772acbe777f7ced1 SHA-1: 7a2cc244ab768d362d0a793f54e8f3bcdbc14924 SHA-256: b92c2db67a490623bd44bd650981cff965e3ca60976bc323d7cbca78a8333139
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The file exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. These indicators suggest an attempt to load external resources, likely for malicious purposes. The embedded URL points to a suspicious shortener, which is a common technique for obfuscating malicious links. The document body contains mathematical formulas, which is likely a lure to disguise the malicious intent.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://kutt.uk/SoJDuc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://kutt.uk/SoJDuc
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
27cb171be0ad68d5bf599a40be2ac4c15c9238182a4d4355676a6f4074cd53a9		 ooxml-emf OOXML EMF part: word/media/image1.emf 76284 bytes
emf_01.emf
3bbbb7e30ee017fbc4dd20795630e3e6b745443e160e0e3aa38e9ec832d64b91		 ooxml-emf OOXML EMF part: word/media/image2.emf 134544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.