Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 f0183babc466c9f1…

MALICIOUS

Office (OOXML) / .DOC

221.4 KB Created: 2025-10-30 11:34:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 452d89d8d4577dc5fce20cab80c05fbd SHA-1: f51d89c4fd576cc10a04958fb03f73e3b321604b SHA-256: f0183babc466c9f1eefc2f814cdb57fb2a4285eda55876f6fe7bfd83ebe40a1c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model

The OOXML document contains heuristics indicating remote template injection and an external relationship, both pointing to a suspicious URL. Additionally, an embedded OLE object was detected. These factors suggest the document is designed to exploit vulnerabilities or download additional malicious content. The specific URL identified is the primary indicator of compromise.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://.............02?&@kt.mrmd.com/xd4EQk?&-------------------kt.mrmd.com) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://.............02?&@kt.mrmd.com/xd4EQk?&-------------------kt.mrmd.com
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2e4b581bfbf25bf944e073c1efd0fd770289fe15d707867d1b6c9297c310de16		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 450560 bytes
emf_00.emf
a6bab15004b53654d496572967a1f354897fede7da992257ed5d72e5b8db1ece		 ooxml-emf OOXML EMF part: word/media/image1.emf 40756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.