Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 cbe6833a3b6f3664…

MALICIOUS

Office (OOXML)

66.6 KB Created: 2015-11-19 06:08:00 UTC Authoring application: Microsoft Office Word 15.0000 First seen: 2026-06-04
MD5: f92ad6a32dd19a35c87b6741b16c917c SHA-1: 3d016acd1c29992fb2d7cc98b0b5b7f4768cdc7a SHA-256: cbe6833a3b6f36645d64ac76cbc02adfb5f8f84b7b4bc5d633476162a92f89e4
84 Risk Score

Heuristics 4

  • CVE-2017-0261/0262 — EPS image filter in OOXML document critical CVE related CVE_2017_0261
    Office OOXML package embeds an EPS/PostScript media part. The Office EPS filter hosted multiple exploited memory-corruption CVEs; plain EPS content is related evidence, not enough to distinguish a specific EPS CVE.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/document.xml.rels: ooxWord://word/media/image1.eps
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas OOXML external relationship
    • http://schemas.openxmlformats.org/markup-compatibility/2006OOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsOOXML external relationship
    • http://schemas.openxmlformats.org/officeDocument/2006/mathOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingOOXML external relationship
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2012/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingGroupOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingInkOOXML external relationship
    • http://schemas.microsoft.com/office/word/2006/wordmlOOXML external relationship
    • http://schemas.microsoft.com/office/word/2010/wordprocessingShapeOOXML external relationship

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_eps_00.eps ooxml-eps OOXML EPS/PostScript part: word/media/image1.eps 206606 bytes
SHA-256: 10c2a8f8c28c538aae80d21673d9af955934c7d9766015e077b7214b739dff67
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.