Malicious Office (OOXML) / .DOCX — malware analysis report

Static analysis result for SHA-256 e1e040b09fa2e209…

MALICIOUS

Office (OOXML) / .DOCX

112.9 KB
MD5: 9c57bdd159a17435420910ee9c339708 SHA-1: a7478f5b6877131c8864720fdd1c8cf81809c21d SHA-256: e1e040b09fa2e2093be4f79234d1c76a2e228c97cfa2823d9e1e4e043016cc3d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is an OOXML document that uses a remote template injection heuristic, indicating it attempts to fetch content from an external URL. The heuristic specifically points to 'http://87.121.221.212/obizx.doc' as the source of this remote template. This suggests the document is designed to download and execute a secondary payload.

Heuristics 2

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Standalone relationship XML references a remote template URL (http://87.121.221.212/obizx.doc). This is the same attachedTemplate/template relationship shape used for remote-template injection in OOXML packages.
    URL http://87.121.221.212/obizx.doc
  • Standalone OOXML relationship file medium OOXML_STANDALONE_RELS
    File is raw OOXML relationship XML rather than a valid OOXML ZIP package. This malformed Office-extension payload still declares an external relationship and should be reviewed as relationship-based Office content.
    URL http://87.121.221.212/obizx.doc
    • http://schemas.openxmlformats.org/package/2006/content-types
    • http://schemas.openxmlformats.org/package/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties
    • http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/schemaLibrary/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/extended-properties
    • http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://purl.org/dc/dcmitype/
    • http://www.w3.org/2001/XMLSchema-instance
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate

Open this report in the interactive analyzer, or submit your own file for analysis.