Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 f6bae44c729411a4…

MALICIOUS

Office (OOXML)

15.5 KB Created: 2021-01-22 11:58:00 UTC Authoring application: Microsoft Office Word 14.0000 First seen: 2021-02-20
MD5: de1f5c8223505f7e8c64a4b852614b14 SHA-1: 4b08d59e384abd5cc2565bddbfb4cd344b0876cb SHA-256: f6bae44c729411a406da045be033a0b6fa9670562095ea44b91753abdd026041
82 Risk Score

Heuristics 3

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://memoadvicr.com/dvsec/report.doc) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship high OOXML_EXTERNAL_REL
    External target in word/_rels/webSettings.xml.rels: http://memoadvicr.com/dvsec/report.doc
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://memoadvicr.com/dvsec/report.doc Remote template reference

Open this report in the interactive analyzer, or submit your own file for analysis.