MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 Command and Scripting Interpreter
T1566.001 Privilege Escalation
T1071.001 Application Layer Takeover
The heuristic detections, specifically OOXML_REMOTE_TEMPLATE and CLAMAV_DETECTION, strongly indicate a remote template injection attack. The document leverages a URL (https://bit.ly/2TbLATi) to load a macro-enabled template, a common tactic used by malware families like Hancitor and Emotet. The document body confirms this, detailing the use of external relationships to achieve remote template injection. The intent is to download and execute a secondary payload from the embedded URL, likely a dropper or a command-and-control component.
Heuristics 4
-
ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://bit.ly/2TbLATi) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/webSettings.xml.rels: https://bit.ly/2TbLATi
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- https://bit.ly/2TbLATi
Open this report in the interactive analyzer, or submit your own file for analysis.