Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 11b53cbe419dbd1a…

MALICIOUS

Office (OOXML)

1.52 MB Created: 2021-07-21 12:49:21 UTC Authoring application: Microsoft Office PowerPoint 12.0000
MD5: 1847dcc2b968d49f2e22eb3ba324c9ad SHA-1: 0a210b3fb4b9ac83737713d60298d53f8fbabc63 SHA-256: 11b53cbe419dbd1a504099051d34fc895e092d28e0e0db2db2d29d674ebe8e9d
266 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document uses a lure of 'Awesome Deep Web Links List' to entice users, while also containing heuristics indicating an advance-fee scam, a password-protected archive lure, and a critical request for recovery secrets or private keys. The presence of external hyperlinks and download shapes further suggests malicious intent, likely to redirect users to malicious sites or solicit sensitive information.

Heuristics 10

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://darkwebnews.com/dark-web/fbi-hacked-tor-and-taken-down-a-child-pornography-site/
  • Call-to-action shape / download button low OOXML_DOWNLOAD_SHAPE
    Document drawing contains a call-to-action phrase ('Click Here', 'Download Now', etc.) inside a shape or text box — a common visual lure used to trick users into enabling macros or visiting a malicious URL
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qzbkwswfv5k2oj5d.onion
    • http://rjuvjyygjqm6mlqm.onion
    • http://6xydbbfysubflwhw.onion
    • http://acropolhwczbgbkh.onion
    • http://msydqstlz2kzerdg.onion/
    • http://5c62aaokkuc4r72c.onion
    • http://4cofdcjmrctqgrie.onion
    • http://y5fmhyqdr6r7ddws.onion/
    • http://andris23zrbn2da5.onion
    • http://imtrjn3qe2tzh5ae.onion/
    • http://ocu3errhpxppmwpr.onion
    • http://ncikv3i4qfzwy2qy.onion
    • https://anonmail.biz/
    • http://confessx3gx46lwg.onion
    • http://confessx3gx46lwg.onion/
    • http://rhe4faeuhjs4ldc5.onion
    • http://apkx44pmf7fyd63e.onion
    • http://tfwdi3izigxllure.onion/
    • http://arcadian4nxs3pjr.onion
    • http://w6csjytbrl273che.onion/
    • http://w6csjytbrl273che.onion
    • http://7wxgnvsy7fapoas3.onion
    • http://wi7qkxyrdpu5cmvr.onion/
    • http://wi7qkxyrdpu5cmvr.onion
    • http://qb5qrtbcl7r624gw.onion
    • http://userl7qp24jlajyx.onion
    • http://74ypjqjwf6oejmax.onion/
    • http://sonntag6ej43fv2d.onion/en
    • http://fb2lib3argrtulnw.onion
    • http://bitblendervrfkzr.onion
    • http://blenderi54mbtyhz.onion
    • http://blenderri3sud4e6.onion
    • http://foggedli5gj36eoe.onion
    • http://4zpinp6gdkjfplhk.onion
    • http://64f7tpht2ttqyhhj.onion
    • http://bitmixe4b3xi6pgc.onion
    • http://s5q54hfww56ov2xc.onion/
    • http://darkhostkdee7jvi.onion
    • http://ejz7kqoryhqwosbk.onion/
    • http://mh7mkfvezts5j6yu.onion/
    • http://ms26ilrtla2rfuzz.onion
    • http://3wzc3w4li73zbg7m.onion
    • http://ll6lardicrvrljvq.onion/
    • http://bptfp7py2wclht26.onion
    • http://btcjaww2avywtadz.onion
    • http://btcmixhnpqlpfacx.onion
    • http://ztjn5gcdsqeqzmw4.onion
    • http://fzqnrlcvhkgbdwx5.onion/
    • http://r2d2akbw3jpt4zbf.onion/
    • http://eqnbwy4b4k4lrlq5.onion
    +3008 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.