Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 ebc47e4410c19ef8…

MALICIOUS

Office (OOXML) / .DOC

54.7 KB Created: 2025-03-21 06:52:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 880212ba2295f13afadbed41b99173c2 SHA-1: 442e1bedd618e3be0fed528f16c2cb16c46198de SHA-256: ebc47e4410c19ef837db4fc962fd224db07b6b8a529acb1afae04910b16a5402
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file exhibits characteristics of a malicious document, specifically triggering heuristics for remote template injection and external relationships. The presence of an embedded OLE object further suggests malicious intent. The primary IOC is the URL associated with the remote template, which is likely used to fetch and execute a secondary payload.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://t.emobility.energy/szP3uj?&stamen=innocent) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://t.emobility.energy/szP3uj?&stamen=innocent
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-com

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0e66c1f036ef6339a1c9eca4fcfca4afd7e3e62d76d7b603a80ce5005a0f9cd7		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 83456 bytes
emf_00.emf
e772a5e7c6ffee6308fc9fa0d0be6e54fd298325fad704c876f27d0e82b5f890		 ooxml-emf OOXML EMF part: word/media/image2.emf 39812 bytes
emf_01.emf
a1ef5bbb8ba4de356fb4b3865e387f7e5ce90f654770c78b97d36d3aaf5d1bde		 ooxml-emf OOXML EMF part: word/media/image1.emf 53696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.