Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 dcdd3c117ec0dc6a…

MALICIOUS

Office (OOXML) / .DOC

179.5 KB Created: 2024-08-01 04:21:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 413ed50fc5b7fc796c710bb1b0f02cc4 SHA-1: 440c50be71fbe20648115bcd65b04a75940a833a SHA-256: dcdd3c117ec0dc6af052496d1cc0d24da9b264f566e0e763380af879dfbcdf27
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The file is detected as a downloader by ClamAV and exhibits characteristics of a malicious Office document, including remote template injection and an external relationship pointing to a suspicious URL. The document body contains a list of industrial parts, which serves as a lure to encourage users to enable macros. The heuristic 'SE_ENABLE_LURE' confirms that the document instructs the user to enable macros or editing. The primary IOC is the external URL used for the remote template injection, which is likely used to download a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://154.216.18.222/simulators/lOpkseAloegPhxxAcv.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://154.216.18.222/simulators/lOpkseAloegPhxxAcv.doc
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.