Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 bb0f5187d550b662…

MALICIOUS

Office (OOXML) / .DOC

38.0 KB Created: 2025-03-19 11:04:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 96d92c29b93961b324ef5b497b09cd65 SHA-1: 64b3eb13a07d7948abfc7d5f74e90a12f849b8c7 SHA-256: bb0f5187d550b6627f61ebda844185905fdf21eaeb364416c2e986e63a0e93b6
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that this document is configured to load external content, specifically from the URL https://kryx.ru/pMe7jM?&drill=solid&ruckus. This is a common technique for delivering malicious payloads. The presence of an embedded OLE object further suggests an attempt to execute code or load additional malicious components. The document body itself does not provide specific lures, but the technical indicators strongly point to a remote template injection attack.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://kryx.ru/pMe7jM?&drill=solid&ruckus) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://kryx.ru/pMe7jM?&drill=solid&ruckus
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8cdd74016ca39df4139d1926f1517e784a0b6efe63e0ba4b868f1a8229af799b		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 83456 bytes
emf_00.emf
602ae54ac364166ccbf12d59d161bc0819b33f90d576608829a244a553dde6cc		 ooxml-emf OOXML EMF part: word/media/image1.emf 53696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.