Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c79b70d14ddd420b…

MALICIOUS

Office (OOXML) / .DOC

35.3 KB Created: 2025-03-09 16:10:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: b0ba8b6f84857d55ca6f3ae9f844a870 SHA-1: dc0a1cdcceea5685e266f35256c9529ff04e1bd4 SHA-256: c79b70d14ddd420bfcde9350e375fd6ed49ecbc226620bf95fa4f5d6c8533185
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that this document is configured to load external content from the URL https://arnogo.net/WvRvbw?&cracker=smiling&pedestrian. This is a common technique for delivering malicious payloads. The presence of an embedded OLE object further supports the likelihood of malicious intent, potentially used to host or execute the payload. No scripts were extracted from this sample.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://arnogo.net/WvRvbw?&cracker=smiling&pedestrian) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://arnogo.net/WvRvbw?&cracker=smiling&pedestrian
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c4c1ad71a84a96052615214b079940877100daada77ad45a89f201e4bddbc6f2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 97280 bytes
emf_00.emf
5812771f0a068bbbd4e8b76c80e920bd35d550b57153a46d43ef15a7780e6cd2		 ooxml-emf OOXML EMF part: word/media/image1.emf 58564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.