Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 f29bd9f902ca3571…

MALICIOUS

Office (OOXML) / .DOC

236.5 KB Created: 2024-11-25 08:51:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: bcc8ccb4b78f0d763c269713fc1086bb SHA-1: b4f8cc8571ca8b1f44a8e2fb38bfc891d091ef10 SHA-256: f29bd9f902ca35718d2afed5f60885e4ac1f57a56dfe5ffcdcdb7c9aa01a4e27
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The OOXML document contains heuristics indicating remote template injection and external relationships pointing to a suspicious URL. This suggests the document is designed to load external content, likely malicious, from the identified URL. The embedded EMF files may contain further malicious content or be used to facilitate the execution of a payload.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://short.ruksk.com/ecc1vM?&visit=omniscient&leaf=nondescript&minion=auspicious&environment=selective&might) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://short.ruksk.com/ecc1vM?&visit=omniscient&leaf=nondescript&minion=auspicious&environment=selective&might
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
eb4e04ebf5d749f46631b903b8aed497fdae7a6fb6b143d12c2bd5ead43881e3		 ooxml-emf OOXML EMF part: word/media/image1.emf 52712 bytes
emf_01.emf
761b373ddabbd4190d2778697d3d10bc4a0e74ac234e7037d6caf46854b41c8e		 ooxml-emf OOXML EMF part: word/media/image2.emf 234700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.