Office (OOXML) / .DOC malware analysis — malicious · c8ef6d5139e6175d

MALICIOUS

Office (OOXML) / .DOC

3.06 MB Created: 2011-03-30 02:05:00 UTC Authoring application: Microsoft Office Word 16.0000

MD5: 609c2473571bf703ce985b6e44b8e343 SHA-1: 81a5705f8fb316d120607d3a43e437d41f5c275f SHA-256: c8ef6d5139e6175dfa05c9ad6942343277a6c5ed8723472dd508d8d0235714d6

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File

The OOXML document contains heuristics indicating remote template injection and external relationships, both pointing to the URL http://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6. This suggests the document is designed to download and execute a secondary payload from this external source.

Heuristics 2

Remote template injection high OOXML_REMOTE_TEMPLATE

Document references a remote template URL (http://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.

URL http://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6
External relationship medium OOXML_EXTERNAL_REL

External target in word/_rels/settings.xml.rels: http://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6

URL http://beilksa.scienceontheweb.net/cookie/select/log/tmp?q=6

Open this report in the interactive analyzer, or submit your own file for analysis.