Office (OOXML) / .DOCX malware analysis — malicious · c49b4d370ad0dcd1

MALICIOUS

Office (OOXML) / .DOCX

10.9 KB

MD5: 44b3f46a370faf94cc51386b4ccaab83 SHA-1: 5de4215ba91bd52ae7371a049c23c8239302f3a5 SHA-256: c49b4d370ad0dcd1e28ee8f525ac8e3c12a34cfcf62ebb733ec74cca59b29f82

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OOXML file contains heuristics indicating remote template injection and an external relationship, both pointing to the download of a malicious template from the provided URL. This suggests a social engineering attack aimed at tricking the user into downloading and potentially executing a malicious file disguised as a document template.

Heuristics 2

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (https://ms-office.services/templates-for-word/download?id=I5I2MUXZT7WF6MGW) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.

URL https://ms-office.services/templates-for-word/download?id=I5I2MUXZT7WF6MGW
External relationship medium OOXML_EXTERNAL_REL

External target in word\_rels\settings.xml.rels: https://ms-office.services/templates-for-word/download?id=I5I2MUXZT7WF6MGW

URL https://ms-office.services/templates-for-word/download?id=I5I2MUXZT7WF6MGW

Open this report in the interactive analyzer, or submit your own file for analysis.