MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
The OOXML document contains heuristics indicating remote template injection and external relationship exploitation. It also contains visible command execution instructions, likely involving PowerShell, to download and execute a second-stage payload from the embedded URL. The primary intent appears to be the execution of arbitrary code via a malicious document.
Heuristics 4
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://www.auditmessages.com/de-de?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImI0ODc1NTZkLTU1MTctNGE5Mi05MTJlLTJlNjU0MDU3ZGI3MiIsImNlb) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: https://www.auditmessages.com/de-de?t=eyJhbGciOiJIUzI1NiJ9.eyJ0cmFja2luZ190b2tlbiI6ImI0ODc1NTZkLTU1MTctNGE5Mi05MTJlLTJlN
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://opendope.org/xpaths
- http://opendope.org/conditions
- http://opendope.org/questions
- http://opendope.org/answers
- http://opendope.org/components
- http://opendope.org/SmartArt/DataHierarchy
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.microsoft.com/office/word/2010/wordml
- http://schemas.microsoft.com/office/word/2012/wordml
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.microsoft.com/office/drawing/2010/main
- http://schemas.openxmlformats.org/schemaLibrary/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
- http://schemas.openxmlformats.org/drawingml/2006/chart
- http://schemas.openxmlformats.org/drawingml/2006/chartDrawing
- http://schemas.microsoft.com/office/drawing/2007/8/2/chart
- http://schemas.openxmlformats.org/drawingml/2006/diagram
- http://schemas.openxmlformats.org/drawingml/2006/picture
- http://schemas.openxmlformats.org/drawingml/2006/spreadsheetDrawing
- http://schemas.microsoft.com/office/drawing/2008/diagram
- http://schemas.microsoft.com/office/2006/coverPageProps
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.microsoft.com/ink/2010/main
- http://schemas.microsoft.com/office/drawing/2010/chartDrawing
- http://schemas.microsoft.com/office/drawing/2012/chart
- http://schemas.microsoft.com/office/drawing/2012/chartStyle
- http://www.w3.org/1998/Math/MathML
- http://www.w3.org/2003/InkML
- http://schemas.microsoft.com/office/drawing/2013/main/command
- http://schemas.microsoft.com/office/drawing/2014/chartex
- http://schemas.microsoft.com/office/drawing/2014/chart
- http://schemas.microsoft.com/office/drawing/2016/11/diagram
- http://schemas.microsoft.com/office/drawing/2017/03/chart
- http://schemas.microsoft.com/office/drawing/2017/model3d
- http://schemas.microsoft.com/office/drawing/2018/animation
- http://schemas.microsoft.com/office/drawing/2018/animation/model3d
- http://schemas.microsoft.com/of
Open this report in the interactive analyzer, or submit your own file for analysis.