Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 e8f03287c51f6b29…

MALICIOUS

Office (OOXML) / .DOC

78.9 KB Created: 2023-11-10 01:33:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 8a9fa85139fa2d1703b9e829194386e3 SHA-1: c806f09a1e941406ffc8172d85c2e811d77a2666 SHA-256: e8f03287c51f6b2992c960c487de1b74d64571a590ce84de7aced738516d699c
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The document exhibits characteristics of malicious OOXML files, specifically remote template injection and the presence of an embedded OLE object. The URL http://gf.to/tntnAIJbF was identified in relation to both remote template injection and external relationships, indicating it is likely the source of the malicious payload. The embedded OLE object further supports the malicious nature of the document.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://gf.to/tntnAIJbF) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://gf.to/tntnAIJbF
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6fc5394e7243b54602bc76cb295dfccd7fe83fd0440e674aede8e4e9d917559e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 34304 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.69, consistent with packed or encrypted content.
emf_00.emf
c0da66b866cc999aee20456c2eee3eefc05046b8f5df3755f95fecb85f9f8be5		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.