Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 bdeb94b7aa7a0809…

MALICIOUS

Office (OOXML) / .DOCX

1.28 MB
MD5: f6a130e5ddcb1f63b1d12fe19ec57c53 SHA-1: ae72bb4b9d1fd72829e1a113c108f61b52b51238 SHA-256: bdeb94b7aa7a0809bf019c37b3b436bc6143f3c00144f17d411e047b39368477
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File

The OOXML document contains an external relationship pointing to a remote URL, indicating an attempt to fetch and execute content from an external source. This is a common technique for delivering secondary payloads. The heuristic firings strongly suggest this malicious behavior.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://documentuser.us.org/KGfITmyU69q/XJ+PcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w==) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://documentuser.us.org/KGfITmyU69q/XJ+PcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w==
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word\_rels\settings.xml.rels: https://documentuser.us.org/KGfITmyU69q/XJ+PcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w==
    URL https://documentuser.us.org/KGfITmyU69q/XJ+PcdHl/UnLq8DPVQx/VqOsW_wINO/5Lhr9DDETQ/zQ56w==

Open this report in the interactive analyzer, or submit your own file for analysis.