Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c1da01180246474e…

MALICIOUS

Office (OOXML) / .DOC

155.2 KB Created: 2025-10-03 05:27:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 50fa0ce61f603cd7185ede804cdb12dd SHA-1: 1afa213c9958fd932e50d38e6f994a24e993e201 SHA-256: c1da01180246474e5eff04d52ca02867b34e3a2ba04ab41cb9744b5dd9b798ef
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that the document is configured to fetch external resources, likely for malicious purposes. The presence of an embedded OLE object further suggests an attempt to execute embedded code or load external content. The primary IOC is the URL associated with the remote template injection, which is highly suspicious. No scripts were extracted from this sample, limiting the ability to determine the exact payload delivery mechanism.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://.............................................#ddddddddddd#--------------_-------memory=domineering&tambourine=scintillating&clove@lin) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://.............................................#ddddddddddd#--------------_-------memory=domineering&tambourine=sci
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7d0c8219c8d79bfc8266cb19f83f1d921b672ddd18ee470294ab8d85a03835d5		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 462848 bytes
emf_00.emf
f63b4d8f68f350f79d48cd14d411bcbbe403c081cd5a7140bc8db57aa0d080ed		 ooxml-emf OOXML EMF part: word/media/image1.emf 146124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.