Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 200e532a620acd49…

MALICIOUS

Office (OOXML)

73.8 KB Created: 2020-11-17 06:57:52 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-22
MD5: 96a438575580599f24b9824917d7ec30 SHA-1: feb6f85894fd3275a00cda1522760e47048f390f SHA-256: 200e532a620acd49067823d6c7d41c67861d42ee60c5472179735506adb2a81a
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is an Excel document containing a clickable image designed as a phishing lure, directing users to a Typeform URL. This suggests an attempt to harvest credentials or other sensitive information through social engineering. No VBA macros were extracted, but the presence of external hyperlinks and the clickable image lure strongly indicate a phishing attack vector.

Heuristics 3

  • OOXML clickable image phishing/form lure critical OOXML_CLICKABLE_IMAGE_FORM_LURE
    Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://6abtm8tfb0k.typeform.com/to/l44B2pAZ
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://6abtm8tfb0k.typeform.com/to/l44B2pAZ Document hyperlink