MALICIOUS
122
Risk Score
Malware Insights
MITRE ATT&CK
T1218.003 System Binary Proxy Execution: SharePoint
T1027 Obfuscated Files or Information
T1204.002 User Execution: Malicious File
T1059 Command and Scripting Interpreter
The sample is a Word document that utilizes remote template injection via the URL https://toui.cc/NwN to bypass traditional static analysis and fetch a malicious template. This behavior is explicitly flagged by ClamAV as Doc.Downloader.Redline, indicating the delivery of the Redline Stealer. The remote template serves as the same mechanism for executing the same second-stage payload.
Heuristics 4
-
ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://toui.cc/NwN) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/webSettings.xml.rels: https://toui.cc/NwN
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://toui.cc/NwN
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Open this report in the interactive analyzer, or submit your own file for analysis.