Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 dfca856be1be0318…

MALICIOUS

Office (OOXML) / .DOC

222.4 KB Created: 2024-09-13 08:12:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 914459f595d2f5dbeb0959c2eae68e89 SHA-1: eabc5b3890e1e762ef4c0ce229b51543e9fa4d04 SHA-256: dfca856be1be0318b2576be829f31755d6ae907c3ae88484f925e38c981ab0b4
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The document exhibits multiple indicators of malicious intent, including remote template injection and the presence of an embedded OLE object. The heuristic 'OOXML_REMOTE_TEMPLATE' firing with the URL 'https://ubal.do/gUT9Cn' strongly suggests an attempt to download and execute a secondary payload. The embedded OLE object further supports the likelihood of a multi-stage attack. The confidence is moderate due to the lack of script content to confirm the exact execution flow.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://ubal.do/gUT9Cn) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://ubal.do/gUT9Cn
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
956033f713642e6e47e9a94a722da064b6e7148d659e81b4d4756856f51dadcc		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 139776 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.
emf_00.emf
0e73a6dfad290487061b1c0cc0825f403cd01210c2cb75ea9da45f404d4ac641		 ooxml-emf OOXML EMF part: word/media/image3.emf 1505804 bytes
emf_01.emf
a381ab0946e8642aa99ce85bca272f56bf22e61218ce02631b0b6612ea460c28		 ooxml-emf OOXML EMF part: word/media/image1.emf 25476 bytes
emf_02.emf
68ce6c2b5a397309f3ec96a4e4b38fdf4fdf37de9652f8b7ba7ca1ed335eab9e		 ooxml-emf OOXML EMF part: word/media/image2.emf 13284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.