Doc.Downloader.Redline-9972754-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 e6b99b5a4248fc20…

MALICIOUS

Office (OOXML)

8.9 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2021-09-22
MD5: 180a69026f4df3b78867f009f31fc026 SHA-1: 1c9abc8543f85f256b3d0a74ca70524c9192f659 SHA-256: e6b99b5a4248fc2060c1879e32225cf6d985686176ff9ad2a87a806835926143
202 Risk Score

Malware Insights

Doc.Downloader.Redline-9972754-0 · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample exploits CVE-2023-36884 by referencing a remote RTF file located at http://192.168.1.100/msf.rtf. This indicates the document is designed to download and execute a secondary payload, consistent with the ClamAV detection of Doc.Downloader.Redline-9972754-0. The presence of external relationships and remote template injection further supports this attack pattern.

Heuristics 5

  • CVE-2023-36884 — external RTF auto-load relationship critical CVE likely CVE_2023_36884
    Document auto-load relationship references a remote RTF file (http://192.168.1.100/msf.rtf), matching the stronger Storm-0978/RomCom external-RTF delivery shape. Plain clickable hyperlinks are not enough for this CVE rule.
  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://192.168.1.100/msf.rtf) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://192.168.1.100/msf.rtf
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.100/msf.rtf Remote template reference
    • http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officedocument/2006/relationships/frameIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.