Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 dcf1f0e70afb3896…

MALICIOUS

Office (OOXML) / .DOC

540.7 KB Created: 2026-02-02 18:26:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 55acdf731ff056453faa21790587392a SHA-1: 95a1110f7bca383128caad618a95eb1974a188fd SHA-256: dcf1f0e70afb3896758d719cd3b122522c2147e21e536e9531ca337c7137cd5d
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model

The OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL heuristics indicate that the document is configured to fetch external content, likely a malicious payload. The presence of an embedded OLE object further supports this, as these can be used to execute arbitrary code. The embedded URL is the primary indicator of the download source for the secondary stage.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://n9x.co/kahmG7?&sdf23f98398298392482938ds9f8sd9f9329239f8293f9239f) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://n9x.co/kahmG7?&sdf23f98398298392482938ds9f8sd9f9329239f8293f9239f
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ef3c3bd86b9c6bee9f950c2124b2486fc1411f968a3aaa426cdada03de348cef		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 242176 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
c7c64f14006ec6776c8dccc2c2bcd2c721c6a823f5bfc2b543d9ab6f1c2d299d		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 1515008 bytes
emf_00.emf
0bb659488252c1181bae827526c2db77cb4150460c7c914d64a08095a4282a65		 ooxml-emf OOXML EMF part: word/media/image2.emf 1454420 bytes
emf_01.emf
fec103c7a2d01f9f6a9c946eaafb5d1cfe1cd447bfa9709de66a5901d864a67c		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.