MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious File
T1059 Command and Scripting Interpreter
The OOXML document contains a remote template injection and an external relationship, indicating an attempt to load content from an external source. The embedded OLE object further suggests malicious intent. The primary IOC is the URL used for the remote template, which is likely used to download and execute a secondary payload.
Heuristics 4
-
Remote template injection high OOXML_REMOTE_TEMPLATEDocument references a remote template URL (https://e.vg/hJdoABsT) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
-
External relationship medium OOXML_EXTERNAL_RELExternal target in word/_rels/settings.xml.rels: https://e.vg/hJdoABsT
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://e.vg/hJdoABsT
- http://schemas.openxmlformats.org/markup-compatibility/2006
- http://schemas.openxmlformats.org/officeDocument/2006/relationships
- http://schemas.openxmlformats.org/officeDocument/2006/math
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
- http://schemas.openxmlformats.org/wordprocessingml/2006/main
- http://schemas.microsoft.com/office/word/2006/wordml
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.binf27b400c137ad6a2cffea5f0a7d954327e2eead540a4b8856ab1962089261f3f |
ooxml-ole-object | OOXML embedded OLE part: word/embeddings/oleObject1.bin | 5632 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.