Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c8a8d2caa429a8bb…

MALICIOUS

Office (OOXML) / .DOC

129.2 KB Created: 2020-09-24 11:36:00 UTC Authoring application: Microsoft Office Word 16.0000
MD5: 6c7fb32d476b7a367df0403b6a8c950f SHA-1: 550db9c70010a50ed964356e6cc4393427b19c9e SHA-256: c8a8d2caa429a8bbe885ef8d59d982b4bfd9c48f1255ff69e3b81c6bbd7b2925
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML document contains heuristics indicating remote template injection and external relationships, both pointing to the same suspicious URL. This suggests the document is designed to load and potentially execute malicious content from an external source. The specific intent of the external content cannot be determined without further analysis, but the mechanism is indicative of a downloader or exploit delivery.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://www.dronerc.it/shop_testbr/localization/dir_photoes/logo.php?image=plogo_vp.png) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://www.dronerc.it/shop_testbr/localization/dir_photoes/logo.php?image=plogo_vp.png
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas
    • http://schemas.microsoft.com/office/drawing/2014/chartex
    • http://schemas.microsoft.com/office/drawing/2015/9/8/chartex
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2010/wordml
    • http://schemas.microsoft.com/office/word/2012/wordml
    • http://schemas.microsoft.com/office/word/2015/wordml/symex
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroup
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInk
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShape

Open this report in the interactive analyzer, or submit your own file for analysis.