Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 0f40426c8f2a6e7d…

MALICIOUS

Office (OOXML)

195.9 KB Authoring application: 14.0300 First seen: 2021-11-20
MD5: bc6bc4c3d768d9e6c72be005900fc5e7 SHA-1: 021e6a365fc7d02c91496c745df3c39b67897361 SHA-256: 0f40426c8f2a6e7dc17fef0b6eab53b5394f2bc6c800a9e04d3353542ede9ea5
102 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The file contains embedded URLs and a sequence of commands that suggest it attempts to download and execute a second-stage payload. Specifically, the document body contains references to 'rundll32.exe' and 'Wscript.Shell' along with multiple URLs, indicating a downloader functionality. The ClamAV detection as 'Xls.Downloader.TrendMicroDridex0521-9860965-0' further supports this assessment.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In macro / runtime command snippet
    • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
    • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
    • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
    • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
    • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
    • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.