Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d757097e50d05eff…

MALICIOUS

Office (OOXML)

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-06-30
MD5: c0534b394a520926576f93d2fcb53460 SHA-1: 385d552507da8decf487efb5a4c1a7d489094e06 SHA-256: d757097e50d05eff954a720ab1e128a621eb62979ae4e93feeb025aa804f83ea
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document that exhibits remote template injection and external relationship heuristics, indicating it attempts to load content from an external source. The ClamAV detection as 'Doc.Downloader.Redline-9972754-0' strongly suggests a downloader functionality. The embedded URL 'https://itsssl.com/9h7CN' is likely the source of the malicious payload.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://itsssl.com/9h7CN) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: https://itsssl.com/9h7CN
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://itsssl.com/9h7CN Remote template reference
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.