Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 c43dfda63e6e5347…

MALICIOUS

Office (OOXML) / .DOCX

1.99 MB
MD5: da8e135550156706041295e7b71ab3e5 SHA-1: 740613f1a9062db908fb489a5d98ac2dd81a6ab8 SHA-256: c43dfda63e6e534776eb24d284d0bdf21115181b49d6e31091de795d957cb5fc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link

The OOXML file contains heuristics indicating remote template injection and external relationships, pointing to a malicious URL. This suggests the document is designed to trick the user into accessing a remote resource which likely hosts a secondary payload. No scripts were extracted from this sample.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://word.azure-company.net/JF9z0LEXLdr/EhsArn+1/_ZRGJL6jro/N3Ottysly0/LCIgHXIIJ7/RTHcg==) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
    URL https://word.azure-company.net/JF9z0LEXLdr/EhsArn+1/_ZRGJL6jro/N3Ottysly0/LCIgHXIIJ7/RTHcg==
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word\_rels\settings.xml.rels: https://word.azure-company.net/JF9z0LEXLdr/EhsArn+1/_ZRGJL6jro/N3Ottysly0/LCIgHXIIJ7/RTHcg==
    URL https://word.azure-company.net/JF9z0LEXLdr/EhsArn+1/_ZRGJL6jro/N3Ottysly0/LCIgHXIIJ7/RTHcg==

Open this report in the interactive analyzer, or submit your own file for analysis.