Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 c9f2acf8b6b593f9…

MALICIOUS

Office (OOXML) / .DOC

224.0 KB Created: 2023-05-24 00:47:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-06-01
MD5: 6afd2c75914be3cd4141fe5e009a36e1 SHA-1: a976e95e772c62bfa12aba1ce5ab245a6ded5ed7 SHA-256: c9f2acf8b6b593f98d5be6aa1a44d518dab61f16118bc62a2d514d51f3e0a323
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The document utilizes OOXML remote template injection and external relationship heuristics, indicating an attempt to fetch and execute content from a remote source. The presence of embedded OLE objects further suggests the inclusion of potentially malicious components. The primary IOC is the URL used for the remote template, which is likely the initial stage of a download and execution chain.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://cloudservices.obs.ap-southeast-1.myhuaweicloud.com:443/iiuiuiiuiuuiiiiuiuu###############################iuiiiuiuiiuiuiuiuiui.doc?AW) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://cloudservices.obs.ap-southeast-1.myhuaweicloud.com:443/iiuiuiiuiuuiiiiuiuu###############################iuiiiui
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • https://cloudservices.obs.ap-southeast-1.myhuaweicloud.com:443/iiuiuiiuiuuiiiiuiuu###############################iuiiiuiuiiuiuiuiuiui.doc?AW
    • https://cloudservices.obs.ap-southeast-1.myhuaweicloud.com:443/iiuiuiiuiuuiiiiuiuu###############################iuiiiuiuiiuiuiuiuiui.doc?AWSAccessKeyId=U1KVQMESJKXUDTXUQSJH&Expires=1716651384&Signatu
    • https://cloudservices.obs.ap-southeast-1.myhuaweicloud.com:443/iiuiuiiuiuuiiiiuiuu###############################iuiiiui

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dac8f984e4e9dd647e36cb0f568bab0aa9187d55efe78bd82e2f007058c5507f		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Macro-Enabled_Worksheet4.xlsm 11677 bytes
ooxml_oleobject_01.bin
06569b42119b471f04070b4f9585a263d32198d995692e9fdded813a2a5bdf9c		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Macro-Enabled_Worksheet1.xlsm 11689 bytes
emf_00.emf
1ab8f5abd845ffd0c61a61bb09bfcf20569b80b4496bccb58c623753cf40485c		 ooxml-emf OOXML EMF part: word/media/image1.emf 4056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.