Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e293a6f0420ac52e…

MALICIOUS

Office (OOXML) / .DOC

137.3 KB Created: 2025-08-20 01:33:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 97bf7300d19d7806b10a24cd6dc8f92b SHA-1: 4456cd5a918a93293a2651f3eac6bd591839ec59 SHA-256: e293a6f0420ac52ec8a37da75d173cc7c567efa3d18f14e9532cac5adb26c744
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML document contains heuristics indicating remote template injection and external relationship abuse, pointing to a malicious payload delivery mechanism. The primary IOC is the URL used for these injections, which is likely the source of the secondary payload. The presence of an embedded OLE object further supports the malicious nature of the document.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://GOODPURPECELCOLOURTHINGS___BETTERPLACEGREATNICEFEELINGSFOR.PNNG=$@vnxy.me/NvNNYk) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://GOODPURPECELCOLOURTHINGS___BETTERPLACEGREATNICEFEELINGSFOR.PNNG=$@vnxy.me/NvNNYk
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
da1bde8e671e0eab310d87cfcd6a6d2e7478da5395fda9efc73c4bf6c9f86772		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1590272 bytes
emf_00.emf
fd48d5aa09a91877e5ee8eff4692d08a3fd8157629bed5b2df9eef9507005a26		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.