Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 d9b53ac21c34d2a0…

MALICIOUS

Office (OOXML) / .DOCX

362 B
MD5: 163ddf239f7a4234d5ba725759d61ad2 SHA-1: a0655d412fb92bdbb861ec75e7613925e6a7670e SHA-256: d9b53ac21c34d2a031131fa607a22b7c4c3de4a3d5ede5679e50971055b16b7a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File

The OOXML document contains a high-severity heuristic indicating remote template injection, pointing to the URL https://t.emobility.energy/szP3uj?&stamen=innocent. This suggests the document is designed to load external content, likely a malicious payload, from this location. No scripts were extracted from this sample.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Standalone relationship XML references a remote template URL (https://t.emobility.energy/szP3uj?&stamen=innocent). This is the same attachedTemplate/template relationship shape used for remote-template injection in OOXML packages.
    URL https://t.emobility.energy/szP3uj?&stamen=innocent
  • Standalone OOXML relationship file medium OOXML_STANDALONE_RELS
    File is raw OOXML relationship XML rather than a valid OOXML ZIP package. This malformed Office-extension payload still declares an external relationship and should be reviewed as relationship-based Office content.
    URL https://t.emobility.energy/szP3uj?&stamen=innocent
    • http://schemas.openxmlformats.org/package/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate

Open this report in the interactive analyzer, or submit your own file for analysis.