Office (OOXML) / .DOCX malware analysis — malicious · c08ba7c0297cd515

MALICIOUS

Office (OOXML) / .DOCX

2.59 MB

MD5: 38e49cd1b7e5d3adb8e058040275b6fd SHA-1: b57d4826cc194c4b1e50fb267975e01332363a5b SHA-256: c08ba7c0297cd515c5a24918f6e1ec705b72cdeea40078494d8b51de447b6b8c

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1071.001 Web Protocols

The sample is a malicious OOXML document that uses a remote template injection and an external relationship to fetch content from a suspicious URL. This indicates an attempt to download and execute a secondary payload from the provided URL, likely leading to further compromise.

Heuristics 2

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://cloud.azure-company.net/G+UTMW7+7YHckDVpI/nUyfKjTe8i/2oVSkbzP5L/XeEc08P4lt/6gcBSBQ=/=) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.

URL https://cloud.azure-company.net/G+UTMW7+7YHckDVpI/nUyfKjTe8i/2oVSkbzP5L/XeEc08P4lt/6gcBSBQ=/=
External relationship medium OOXML_EXTERNAL_REL

External target in word\_rels\settings.xml.rels: https://cloud.azure-company.net/G+UTMW7+7YHckDVpI/nUyfKjTe8i/2oVSkbzP5L/XeEc08P4lt/6gcBSBQ=/=

URL https://cloud.azure-company.net/G+UTMW7+7YHckDVpI/nUyfKjTe8i/2oVSkbzP5L/XeEc08P4lt/6gcBSBQ=/=

Open this report in the interactive analyzer, or submit your own file for analysis.