Doc.Downloader.Redline — Office (OOXML) / .DOC malware analysis

Static analysis result for SHA-256 ecbf88f63d21b75f…

MALICIOUS

Office (OOXML) / .DOC

10.1 KB Created: 2018-03-07 09:39:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2022-11-25
MD5: 382b6b7327b874abb6cb3c4b592463b5 SHA-1: dd520b20f13ff95233ce321da36a48006484a6f9 SHA-256: ecbf88f63d21b75f5b5f7ae1950b5b79f4da50da98446226499279a87d27c9de
142 Risk Score

Malware Insights

Doc.Downloader.Redline · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File

The file exhibits high-severity heuristics for remote template injection and external relationships, indicating it is designed to fetch content from an external source. ClamAV detection confirms this as Doc.Downloader.Redline, a known downloader family. The embedded URL is likely used to retrieve and execute a second-stage payload.

Heuristics 4

  • ClamAV: Doc.Downloader.Redline-9972754-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Redline-9972754-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://0000000020000322000000010023000004000050000230000000@911154186/000000_0000000_000000_000000_0000000_000000_0000/_______________0_____) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://0000000020000322000000010023000004000050000230000000@911154186/000000_0000000_000000_000000_0000000_000000_0000/_
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://0000000020000322000000010023000004000050000230000000@911154186/000000_0000000_000000_000000_0000000_000000_0000/_______________0_____
    • http://0000000020000322000000010023000004000050000230000000@911154186/000000_0000000_000000_000000_0000000_000000_0000/_______________0___________.doc
    • http://0000000020000322000000010023000004000050000230000000@911154186/000000_0000000_000000_000000_0000000_000000_0000/_
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.