Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e3c8080fba2dae84…

MALICIOUS

Office (OOXML) / .DOC

695.1 KB Created: 2024-10-23 07:48:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: a4633b398a95e20e7ec12dcaf3090e43 SHA-1: 06b1ecd43566ad5aaa16986c0bccaf5c1561a31b SHA-256: e3c8080fba2dae8436582c23e49387b29f15dab713779d2d0f16a9d3ec022f3d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The document exhibits characteristics of a malicious OOXML file, specifically remote template injection and the presence of external relationships, pointing towards an attempt to load external content. The embedded OLE objects further suggest the inclusion of potentially malicious components. The primary IOC is the URL associated with the remote template injection, which is likely used to download and execute a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://u4u.kids/clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&reveal=reflective&clock) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://u4u.kids/clm3hy?&sing=cuddly&brain=hapless&kingfish=perpetual&cake=scientific&bacon=kindhearted&jelly=pumped&rev
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e42216d4dee8ca8a940dc2bf3cbfb96c86c7c16780dd6da12e28ce12bb0c7e8c		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1595392 bytes
ooxml_oleobject_01.bin
30c6bb15fb33a7081ac96673b99627a264ea5404afb1484888d75e34017992b8		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject3.bin 1578496 bytes
ooxml_oleobject_02.bin
7c7c3c864eefef067dc4fbac146297c7ddec25e553517f45ce1c5b6e7e1a740f		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 1643520 bytes
emf_00.emf
7913e08c0f2237c6e9975eeba4499aa5627107017134a60b4272d90822423f12		 ooxml-emf OOXML EMF part: word/media/image3.emf 1505804 bytes
emf_01.emf
3431033ca736890ee16648952cddaff6ddf70e17d59fcbffdf69f492b7188375		 ooxml-emf OOXML EMF part: word/media/image1.emf 1504016 bytes
emf_02.emf
6b8bf5308896f989c556a5c64e8e7473b668ffdc7230422b8656bac3a3c6b52d		 ooxml-emf OOXML EMF part: word/media/image2.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.