Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 f3395f307f4b8de7…

MALICIOUS

Office (OOXML) / .DOC

43.9 KB Created: 2025-02-04 11:18:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 8fed458a501d7e4d051ad997f8765102 SHA-1: f000bbd6af1c21e7a7fb4c919d3058b34d514e83 SHA-256: f3395f307f4b8de7397523e9d0e16b040577f2827cfaaa945ceb5744ff73f4bc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML file contains heuristics indicating remote template injection and external relationships pointing to a suspicious URL. These elements suggest the document is designed to load external content, likely for malicious purposes. While no scripts were directly extracted, the presence of remote template injection strongly implies an attempt to download and execute a payload.

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://loooooooooooooooooooog.com/hEKZnJh) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://loooooooooooooooooooog.com/hEKZnJh
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
emf_00.emf
7119866b4394474c4bc9a067c301c5c33743e66ab180f485b40a136ff7694675		 ooxml-emf OOXML EMF part: word/media/image1.emf 23768 bytes
emf_01.emf
bd3bec4dc2e3792f471730bdbf4969ef798f8b6dfb498540ab6012fa76da8670		 ooxml-emf OOXML EMF part: word/media/image2.emf 87196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.