Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 cc46628096b1c48f…

MALICIOUS

Office (OOXML) / .DOC

90.3 KB Created: 2025-02-11 05:56:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: bc0ab291694ec67aad2ef22cb680df22 SHA-1: aa0ee7bbb4f883bfe7b6f824181609f309d83ba1 SHA-256: cc46628096b1c48f36accd498026b5080b7714de6081359af69503583023eaf7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1553.005 Mark-of-the-Web Bypass

The OOXML document contains heuristics indicating remote template injection and external relationships, suggesting it's designed to load malicious content from an external source. The embedded URL points to 'https://woki.me/DQaKj', which is likely the source of the malicious payload. No scripts were extracted from this sample, limiting further analysis of its execution flow.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://woki.me/DQaKj) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://woki.me/DQaKj
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
f375ef837181f05750b2046b9a81447ab22709d97d262b6b61753c013694ddeb		 ooxml-emf OOXML EMF part: word/media/image2.emf 76824 bytes
emf_01.emf
9923cb4bf7a5fbb9c22512a2431582df95a92f67868ff26cbc80bfecbb667db7		 ooxml-emf OOXML EMF part: word/media/image1.emf 250880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.