Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 bee2f05c3ceadc6c…

MALICIOUS

Office (OOXML) / .DOC

949.4 KB Created: 2025-11-21 01:43:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 5a8733d28bbca2b0baff0710622796fa SHA-1: 04e30401928e56c1c4fe8b332d11840453fae3b9 SHA-256: bee2f05c3ceadc6c18abff1bf32effb8da09bc054048e0521d028b99e746db04
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample exhibits high-confidence indicators of malicious activity, specifically remote template injection and the presence of an embedded OLE object. These heuristics strongly suggest the document is designed to lure the user into downloading and executing a secondary payload from the identified URL. The embedded OLE object likely contains the exploit or initial stage malware.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https:///\/\/\/\/\/\/\/\/\@eohelp.link/h9yKCA?&/\/\/\/\/\/\/\/\/\/\) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https:///\/\/\/\/\/\/\/\/\@eohelp.link/h9yKCA?&/\/\/\/\/\/\/\/\/\/\
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3c139b559b06362b3e426a879e5cc29bb8ba84c3808f2ad0264d139bd3c68bd0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 921088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
emf_00.emf
bfd6184ca81df2a50b0f9fe7d8f3c94e7f9e6e380e4d47ccb7aa3e927a21b3a8		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.