Office (OOXML) / .XLSX static analysis report

Static analysis result for SHA-256 1374b7da5c49761f…

SUSPICIOUS

Office (OOXML) / .XLSX

2.34 MB Created: 2026-05-25 04:57:42 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-05-28
MD5: 9d70f8e6c512b5b96e25d7a55f91dd58 SHA-1: 81abb42563d1baeb6fe36d27a5f60ed6d2e64071 SHA-256: 1374b7da5c49761fc87fc2a9c682b478a9623155fff285d1e7b867de3837780d
42 Risk Score

Heuristics 2

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www[[.]]virustotal[[.]]com/gui/ip-address/64[[.]]227[[.]]35[[.]]102 In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/178[[.]]62[[.]]43[[.]]133In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/47[[.]]97[[.]]0[[.]]54In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/52[[.]]101[[.]]65[[.]]143In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/tagworkspharma[[.]]comIn document text (OOXML body / shared strings)
    • https://s[[.]]threatbook[[.]]com/report/file/0a3b1ef0b162ab8d58832255126c27faaab73b6eff46e7140b503882bfc2ca74In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/file/0a3b1ef0b162ab8d58832255126c27faaab73b6eff46e7140b503882bfc2ca74In document text (OOXML body / shared strings)
    • https://s[[.]]threatbook[[.]]com/report/file/b9c2fcc15e73f7ddb57f4ff837bd45ad60135fc9a984ad2a5f8cf2bb849a5970In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/file/b9c2fcc15e73f7ddb57f4ff837bd45ad60135fc9a984ad2a5f8cf2bb849a5970In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/198[[.]]23[[.]]156[[.]]122In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/178[[.]]128[[.]]114[[.]]205In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/178[[.]]128[[.]]114[[.]]205In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/dacbiotech[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/115[[.]]124[[.]]28[[.]]101In document text (OOXML body / shared strings)
    • https://s[[.]]threatbook[[.]]comreportfile2cb3a285b2920e63b545508c193ba48665702313bad52fdc107fab910c758deaIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/vrtx[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/67[[.]]231[[.]]149[[.]]5In document text (OOXML body / shared strings)
    • https://s[[.]]threatbook[[.]]com/report/url/a997bc44da1eb812cddc9d8e9ad5bc10In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/url/6f5d94799e7734bfaecb3b4203c03e23ab0c402c77669be107f4c524299c6665?nocache=1In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/213[[.]]136[[.]]68[[.]]104In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/35[[.]]216[[.]]144[[.]]195In document text (OOXML body / shared strings)
    • https://bctf-zngp[[.]]maillist-manage[[.]]com/click/1164d5c2f3d2831f0/1164d5c2f3d27f04aIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/domain/bctf-zngp[[.]]maillist-manage[[.]]comIn document text (OOXML body / shared strings)
    • https://reality-tech[[.]]com/contact-usIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/domain/reality-tech[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/176[[.]]65[[.]]132[[.]]153In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/192[[.]]109[[.]]200[[.]]18In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/43[[.]]167[[.]]198[[.]]92In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/soundon[[.]]fmIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/209[[.]]85[[.]]221[[.]]227In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/xeniro[[.]]onlineIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/sunsetais[[.]]infoIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/emballiso[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/198[[.]]244[[.]]63[[.]]62In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/bioduro[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/ip/209[[.]]85[[.]]217[[.]]101In document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/shoproductsteam[[.]]comIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/44[[.]]206[[.]]3[[.]]98In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/url/1cff3724ff912c6c00047c2be32c78c4a8a9f23d540d710327d9fdcc7a0b844dIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/209[[.]]85[[.]]160[[.]]97In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/107[[.]]173[[.]]241[[.]]217In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/120[[.]]55[[.]]64[[.]]167In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/52[[.]]103[[.]]14[[.]]29In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/178[[.]]128[[.]]104[[.]]229In document text (OOXML body / shared strings)
    • https://ms[[.]]systematicapproach[[.]]one/In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/url/01b6c216316d7a9e3168dece002340d55abdebbb887239a0a6bae4a090127578?nocache=1In document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/domain/hansonwade[[.]]comIn document text (OOXML body / shared strings)
    • https://x[[.]]threatbook[[.]]com/v5/domain/alcon[[.]]aeIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/domain/hes[[.]]itIn document text (OOXML body / shared strings)
    • https://www[[.]]virustotal[[.]]com/gui/ip-address/209[[.]]85[[.]]167[[.]]97In document text (OOXML body / shared strings)
    +185 more URL(s)