Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 26eb8878ea23d8ee…

MALICIOUS

Office (OOXML)

195.9 KB Authoring application: 14.0300 First seen: 2021-11-21
MD5: 3b40f3d38f8a8deb19f5532c8e34867d SHA-1: 90110ea9192408682676de810101fe639fbedc39 SHA-256: 26eb8878ea23d8ee4d6ac8ae2b5783aa4cf05f9b3d2b7739553a4d0a2a42faa6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The file contains embedded URLs and a sequence of commands that suggest it attempts to download and execute a second-stage payload. Specifically, the document body contains references to 'rundll32.exe' and 'Wscript.Shell' along with multiple URLs, indicating a downloader functionality. The ClamAV detection as 'Xls.Downloader.TrendMicroDridex0521-9860965-0' further supports this assessment.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In macro / runtime command snippet
    • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
    • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
    • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
    • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
    • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
    • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.