Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 d5e214f3096564df…

MALICIOUS

Office (OOXML) / .DOC

410.2 KB Created: 2023-11-10 01:33:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2024-05-23
MD5: 0d0f500d82551e733eab0fb1060a49da SHA-1: 1e9af5dd484358b007673b0d7f9b85f8ac1a7b6c SHA-256: d5e214f3096564dfc3e348b6a3ac6aeefed75d785ac7cfab5d3019f67fdbc9be
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1059 Command and Scripting Interpreter

The OOXML document contains heuristics indicating remote template injection and an embedded OLE object, which is a common delivery mechanism for malware. The embedded OLE object likely contains a malicious payload that is executed when the document is opened. The external URL http://bot.ax/hNZdz is highly suspicious and is likely used to host the secondary payload.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://bot.ax/hNZdz) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://bot.ax/hNZdz
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bot.ax/hNZdz
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ed535673b95ecc46b74cfd9bca9b929366331f1f798b27356bfd9c0cfb4b29f0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject4.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
9459319435063843d6b87a63042541d26ec76ca30a4817a19ca8f59fa28b056b		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject9.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_02.bin
7f0ab3f7d91dd71269c80abd9df1f58d5bbc5398053178110659c091764ac7f1		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_03.bin
2b7c288488e7c34b274554b6ce676174d4d995b0213051581786a2b2bd6fadf7		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject5.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_04.bin
f78f8387357ded67718b2991cea33822dc914f53a6a7a8b2ff4290a7a8966ddf		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject7.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_05.bin
c215cff508d3512ab72d81ec585245c9a689d11887f217300ad2f558f5a36e83		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject8.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_06.bin
117b68d5ece9360554b0b53c4198a9d273325a0c5e03847fb71ee2235b5b02b0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject11.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
ooxml_oleobject_07.bin
84450e2fc84a81d87b478c3e18b2b5402f10b2294b4493c6056615a339fbd0c2		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject6.bin 34816 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
emf_00.emf
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes
emf_01.emf
05b2053bf1d070d6034b45cd79b54d80da3c6d88d016671a345e75048b1a68db		 ooxml-emf OOXML EMF part: word/media/image2.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.