Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 bf4ac684ca1042f5…

MALICIOUS

Office (OOXML)

132.7 KB Created: 2018-08-22 10:24:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2020-01-07
MD5: cf0142da12509f544a59093495c3a6dd SHA-1: 928b391af8e029dd8bef4f6dd82223b961429f0d SHA-256: bf4ac684ca1042f5b40a498dd0d1fabdfa6956ef7906bc21508ebd39ae5a79d3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The OOXML document contains a heuristic firing for remote template injection, pointing to a suspicious URL. This indicates the document is likely attempting to load external content, a common technique for delivering malicious payloads or phishing lures. The presence of external relationship indicators further supports this, suggesting the document is configured to interact with external resources. The primary IOC is the URL used for remote template injection.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://outlook.officebetas.com/templates/vni-times.png) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://outlook.officebetas.com/templates/vni-times.png
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://outlook.officebetas.com/templates/vni-times.png Remote template reference
    • http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.