Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 f934b28bb323edd4…

MALICIOUS

Office (OOXML) / .DOC

287.1 KB Created: 2025-09-13 09:43:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 828cfd8f73c40445cd3f6587729da514 SHA-1: b7eb2ade1107c0fdf2f4a933eaa8f865896d0c3a SHA-256: f934b28bb323edd41edecc32c7f9acc2f24614688758a27f92bd40f63deffc7a
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution

The sample exhibits high-confidence indicators of malicious activity, specifically OOXML_REMOTE_TEMPLATE and OOXML_EXTERNAL_REL firings, pointing to the use of a remote template at https://getabre.com/xnjCQL. This suggests the document is designed to lure the user into downloading and executing additional malicious content. The presence of an embedded OLE object further supports this, as these are often used to deliver secondary payloads.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (https://getabre.com/xnjCQL) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: https://getabre.com/xnjCQL
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4f8bbd75e08e8f923f609823ad79a7e238b587543381b616f4ca18da137dd255		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 299008 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
9afe9f5d7977bf3444372cf52722a17f2acbf80d6d03e9ff4e968ce315d5fd14		 ole-package OOXML word/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 293975 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
emf_00.emf
0b5f027ee94483e60e543881f1b62b54bbf866325bd1d60b656aa2ab92250892		 ooxml-emf OOXML EMF part: word/media/image1.emf 7488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.