Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 f6b2fe821ed026e7…

MALICIOUS

Office (OOXML) / .DOC

179.5 KB Created: 2024-08-01 04:21:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: e7bf827aae6e1dff7a2bdb89331d8411 SHA-1: 961d3f88e79b218f080d723471583812683def1c SHA-256: f6b2fe821ed026e736293704769e4537c2c2a6e5f802d35a780c811fe28b9e9b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Loda-7570590-0. It utilizes remote template injection and external relationships pointing to 'https://aluminprodu.top/aoslepeterxcmsdfd.doc', indicating a downloader. The document body, while appearing to be a parts list, is likely a lure to trick the user into enabling macros, a common tactic for malware droppers. No scripts were extracted, but the heuristics strongly suggest the document's primary purpose is to download and execute a secondary payload.

Heuristics 5

  • ClamAV: Doc.Downloader.Loda-7570590-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Loda-7570590-0
  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://aluminprodu.top/aoslepeterxcmsdfd.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://aluminprodu.top/aoslepeterxcmsdfd.doc
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Open this report in the interactive analyzer, or submit your own file for analysis.