Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 fb3394c5d564040d…

MALICIOUS

Office (OOXML) / .DOC

356.1 KB Created: 2026-01-27 13:56:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2026-01-30
MD5: a504d4814a3c1095749320e607d26968 SHA-1: 487ae0473d04935399d5bdbba6b6ed80bff251e5 SHA-256: fb3394c5d564040d5449729e133f9d043b7014bd25528b38b4b2b43a84e2b1df
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The OOXML document contains heuristics indicating remote template injection and an embedded OLE object. The primary suspicious IOC is the URL used for remote template injection, which is likely used to download and execute a secondary payload. The presence of an embedded OLE object further suggests malicious intent, potentially for obfuscation or to host additional malicious content.

Heuristics 4

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://MmΜϺМᎷᛖⅯⅿMm@014013117617/120/kn/kn.doc?&MmΜϺМᎷᛖⅯⅿMmmΜϺМᎷᛖⅯⅿMm) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://MmΜϺМᎷᛖⅯⅿMm@014013117617/120/kn/kn.doc?&MmΜϺМᎷᛖⅯⅿMmmΜϺМᎷᛖⅯⅿMm
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://MmΜϺМᎷᛖⅯⅿMm@014013117617/120/kn/kn.doc?&MmΜϺМᎷᛖⅯⅿMmmΜϺМᎷᛖⅯⅿMm
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
16ff5258582ceabf2a4e71edd91313baf430618c0f99b19b02005942bcfdbb44		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 1531904 bytes
ooxml_oleobject_01.bin
7fe3766fff7de6846a1038004b6ef6e66273985b18d2bd74e17c8ade91c3ab9f		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx 188743 bytes
emf_00.emf
c16487ff5bdcfd57bf69f893c0a92f26da26c97a3f0e42443ba759cadb1ae4dc		 ooxml-emf OOXML EMF part: word/media/image2.emf 44816 bytes
emf_01.emf
00e403bd2aea65cf4a533a3648dc8fc68ee57b3d5c55ce341fb81d571ea588eb		 ooxml-emf OOXML EMF part: word/media/image1.emf 1454420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.