Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c9811f9e2135c00b…

MALICIOUS

Office (OOXML) / .DOC

800.1 KB Created: 2024-10-05 15:16:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 7fc626db12e97f853d1f278741ddb483 SHA-1: 085e7bde56cf4b90f8fd9af7d9aefb1676017e1b SHA-256: c9811f9e2135c00b5aab845b7cc43f15f2a61ab6f8d5a99026a79039d8e16835
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The sample exhibits characteristics of a malicious OOXML document, specifically remote template injection and the presence of an embedded OLE object. These techniques suggest an attempt to leverage document vulnerabilities to execute malicious code. The URL 'https://wrath.me/PcnsFe' is associated with the remote template injection heuristic, indicating a potential download or execution vector.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://wrath.me/PcnsFe) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://wrath.me/PcnsFe
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9b7393478aedf4b44389d245d64927b097f76958b50e26bfb0e6fcb807de1568		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1777664 bytes
emf_00.emf
f5914f695c0f58cb99246e66470c16ff7f1be6c63010600bf0c4e4c7a130ba99		 ooxml-emf OOXML EMF part: word/media/image5.emf 50496 bytes
emf_01.emf
0c5d26a995ca6be9a4fede95b958dcf3039e10c857ab260c54f466020664eb16		 ooxml-emf OOXML EMF part: word/media/image4.emf 86860 bytes
emf_02.emf
cf9f717e428092bc8bd924b874c8e584aa0fb8743e3cab6324fb5a7ee330a356		 ooxml-emf OOXML EMF part: word/media/image1.emf 187044 bytes
emf_03.emf
f328fb5b6055b687344190bb13d8dd6cdf6ea76d4aaae6c5112dec1b32ace3c2		 ooxml-emf OOXML EMF part: word/media/image2.emf 1504468 bytes
emf_04.emf
c9cd67f73e83803fb9be2b79c03cbcfb9515ae50203fe4368124d75c5aae3a28		 ooxml-emf OOXML EMF part: word/media/image3.emf 97656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.