Office (OOXML) / .DOC malware analysis — malicious · b9eec8af046ab480

MALICIOUS

Office (OOXML) / .DOC

163.8 KB Created: 2023-06-11 02:09:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-06-14

MD5: 3d623068053a4274e2584cc38c9371bd SHA-1: 207916902af716062cd47473cdfea5aff1563669 SHA-256: b9eec8af046ab48024083cd1de7d594d718137ed5c1ad2b8458ee797ab3707c1

62 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution

The OOXML document contains a heuristic firing for remote template injection, indicating it attempts to load content from an external URL. This is further supported by an external relationship firing. The primary IOC is the suspicious URL found in both heuristics, which is likely used to fetch a secondary malicious payload.

Heuristics 3

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://unesa.me/v5za74) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: https://unesa.me/v5za74
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://unesa.me/v5za74
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.