Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 cc26a0106035c777…

MALICIOUS

Office (OOXML) / .DOC

303.7 KB Created: 2024-10-10 15:54:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: b61e5d8b49c6e7d5d0e5e2a5deff02b4 SHA-1: 2fc394cf620e69d39b1648e35f54ebd4ee98c867 SHA-256: cc26a0106035c7773b2c744ecc87993b030f4cd76c2913c01294fb5ad1e3d014
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The document exhibits characteristics of malicious OOXML files, specifically remote template injection and the presence of an embedded OLE object. These heuristics suggest the file is designed to download and execute a secondary payload. The embedded OLE object and external relationships are key indicators of this malicious intent.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://shuvi.io/baEqcq) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://shuvi.io/baEqcq
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8a6c824e85c9db497d73c13c466de01e417e7878931a0bd27c7cbb07018f5ff7		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 187904 bytes
emf_00.emf
f342cf7bfc8622b1abb64e960018ce879816aa5a551c3e37fe9b23e4a51c1d9e		 ooxml-emf OOXML EMF part: word/media/image3.emf 187044 bytes
emf_01.emf
ab9bee8e92ef5bf84a924ccce3a8450990d88d766b1d2da8b4c76075e71f9f66		 ooxml-emf OOXML EMF part: word/media/image1.emf 50496 bytes
emf_02.emf
e784e292bb2e8fc8bdbb0efa17d86eefa977ff1a95f1c63019c3a1d26688a8e7		 ooxml-emf OOXML EMF part: word/media/image2.emf 96712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.