Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 da1724af09a19a8c…

MALICIOUS

Office (OOXML) / .DOCX

655.2 KB Created: 2026-06-09 07:33:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2026-06-10
MD5: 4164bb94debc497fda94787b216ad62b SHA-1: c6e5db0a1775226a74b589574810de2ca248d864 SHA-256: da1724af09a19a8c35752ab13da3cd6323d06576104461052697f18c3682374c
84 Risk Score

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://biturl.in/Home/Index/DC417291?&community.cisco.com/t5/security-knowledge-base/introducing-cloud-protection/ta-p/5009108) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://biturl.in/Home/Index/DC417291?&community.cisco.com/t5/security-knowledge-base/introducing-cloud-protection/ta-p/
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://biturl.in/Home/Index/DC417291?&community.cisco.com/t5/security-knowledge-base/introducing-cloud-protection/ta-p/5009108 Remote template reference
    • https://biturl.in/Home/Index/DC417291?&community.cisco.com/t5/security-knowledge-base/introducing-cloud-protection/ta-p/Remote template reference
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • https://v3.camscanner.com/user/downloadIn document text (OOXML body / shared strings)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1595392 bytes
SHA-256: 6907779698498c86f2980edf10ba6e31a96716c540dffc0bd2a67fae5370ec2a
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 107321 bytes
SHA-256: 26784c0b6cd558d18737bec0aee030796deb443c9f58a98f05c2edfdc86de367
emf_00.emf ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes
SHA-256: 3f3a317cc1e6bf2179f4d192678c3dd88c53b783442007ceb39ecbefd86c9e2b
emf_01.emf ooxml-emf OOXML EMF part: word/media/image2.emf 477052 bytes
SHA-256: 92b230067a56f2cb36a667fc2924be3ff1ec8705e5afcf80360e772700bd32fe