Malicious Office (OOXML) / .DOC — malware analysis report

Static analysis result for SHA-256 fbd4e59df6c46f86…

MALICIOUS

Office (OOXML) / .DOC

289.8 KB Created: 2026-01-11 06:49:00 UTC Authoring application: Microsoft Office Word 12.0000
MD5: 9927610ebf361884a2e17a74eaf3d068 SHA-1: d2b2d743bd9f85fb5b0454c0d0773017479107c0 SHA-256: fbd4e59df6c46f8647bb4f2992cbb65a58909e5c941b4b3a9f91db73d42cd5aa
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model

The file exhibits characteristics of a malicious document, specifically triggering heuristics for remote template injection and embedded OLE objects. The presence of these elements suggests an attempt to leverage external resources or exploit embedded components to compromise the user's system. The embedded OLE objects are a key indicator of potentially malicious content.

Heuristics 5

  • Remote template injection high OOXML_REMOTE_TEMPLATE
    Document references a remote template URL (http://00032114431330) — a common remote-template-injection vector used by Hancitor, Emotet and many phishing campaigns. Word can fetch and apply the remote template; macros in that template may execute depending on Office policy and trust state.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in word/_rels/settings.xml.rels: http://00032114431330
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/officeDocument/2006/math
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
    • http://schemas.openxmlformats.org/wordprocessingml/2006/main
    • http://schemas.microsoft.com/office/word/2006/wordml
    • http://schemas.openxmlformats.org/markup-compatibili

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f0a2dfe2fafb83012025e21eb4dd0e2fc2b5993cce73551ea6b3dd3507a5b86e		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject2.bin 105984 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
55e09a0a98b980eae01f538ab47295a8ba4f9871334f4128f7513e2493f9ed07		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 105984 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
ooxml_oleobject_02.bin
21577aafa623ce50f4504d2780abd28e356604f319714c822857bb7663c7c422		 ooxml-ole-object OOXML embedded OLE part: word/embeddings/Microsoft_Office_Excel_97-2003_Worksheet1.xls 250368 bytes
emf_00.emf
f529a5f4aceea654815f1a410a13d195fc1662c86d6a0081b5055e68131db34a		 ooxml-emf OOXML EMF part: word/media/image1.emf 1505804 bytes
emf_01.emf
59505fb6373405f4251188b36a077699fdf970d7e55802c059ed8fff8c51eda0		 ooxml-emf OOXML EMF part: word/media/image2.emf 40616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.