Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 bdf218f09b5db054…

MALICIOUS

Office (OOXML) / .DOC

35.3 KB Created: 2025-03-09 16:10:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: d3471e9ab5dd039c31569b1484ff4fd6 SHA-1: 908c3bbfd45179d698b92707f271bf135d3beb7d SHA-256: bdf218f09b5db054b5e919b56e332c690e05ea07876c7e141ab0c100b5625e58
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample exhibits characteristics of a malicious OOXML document, specifically triggering heuristics for remote template injection and external relationships. The presence of an embedded OLE object further suggests an attempt to load external content. The primary IOC is the remote URL used in these injections, which is likely the source of a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://link.saja.market/6DOhfU9pHu?&motorboat=madly&atm) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://link.saja.market/6DOhfU9pHu?&motorboat=madly&atm
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c4c1ad71a84a96052615214b079940877100daada77ad45a89f201e4bddbc6f2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 97280 bytes
emf_00.emf
5812771f0a068bbbd4e8b76c80e920bd35d550b57153a46d43ef15a7780e6cd2		 ooxml-emf OOXML EMF part: word/media/image1.emf 58564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.