Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e46e55d0a32708ea…

MALICIOUS

Office (OOXML) / .DOC

141.8 KB Created: 2024-07-15 05:01:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: dc8ab63708d85a9b646397c60737fa8b SHA-1: 6d4a635dcf43aa186fa094148135bb25b20b5086 SHA-256: e46e55d0a32708eade02aed79c0512e70df02e2b25e66180c139164d8248dc84
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The OOXML document contains heuristics indicating remote template injection and external relationships, both pointing to the URL http://exi.link/ITPNdF. This suggests the document is designed to load and execute content from this external source, likely to deliver a malicious payload. No scripts were extracted, but the presence of remote template injection is a strong indicator of malicious intent.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://exi.link/ITPNdF) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://exi.link/ITPNdF
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
8a05aef60aa3ca524164d3c1c0ac369a2b42d00293b33533cfce3d5576877ef8		 ooxml-emf OOXML EMF part: word/media/image1.emf 17016 bytes
emf_01.emf
60ecd6087b9a0d8a33354d842944b4d167742d217c48227745092c37d03a54ad		 ooxml-emf OOXML EMF part: word/media/image2.emf 61948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.