Office (OOXML) malware analysis — malicious · 1f84f324b5a03e14

MALICIOUS

Office (OOXML)

73.8 KB Created: 2020-11-17 06:57:52 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-22

MD5: 5dfd5f334ac75248c47d266b012f2e00 SHA-1: fab6d61d8dcb42eca69e4497c6c4ded40e2e8cd1 SHA-256: 1f84f324b5a03e14556e47fa8bc6e3d9ea7acca54ba267d3d6f801be6de99f82

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OOXML document contains a clickable image designed as a phishing lure, directing users to an external hyperlink. This suggests an attempt to trick the user into interacting with a malicious site, likely for credential harvesting or further exploitation. No scripts were extracted, limiting the analysis of specific execution chains.

Heuristics 3

OOXML clickable image phishing/form lure critical OOXML_CLICKABLE_IMAGE_FORM_LURE

Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://g7xljkbya12.typeform.com/to/IKAYcwRk
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://g7xljkbya12.typeform.com/to/IKAYcwRk Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.