Office (OOXML) malware analysis — malicious · 3b7f6be014f60d54

MALICIOUS

Office (OOXML)

74.1 KB Created: 2021-05-19 22:38:11 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-26

MD5: 969575a3feac0b6f0056d820a1dfb0fd SHA-1: af21e6878f40dcfd3b157045f050d1dbb681a1e8 SHA-256: 3b7f6be014f60d543796332a2e104cfc8fdb152fa86a07d00be71174d3130db9

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OOXML document contains a clickable image designed as a lure, directing users to a Google Forms URL. This technique is commonly used for phishing campaigns to collect user credentials or other sensitive information. No scripts were extracted, and the primary IOC is the external hyperlink.

Heuristics 3

OOXML clickable image phishing/form lure critical OOXML_CLICKABLE_IMAGE_FORM_LURE

Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://docs.google.com/forms/d/e/1FAIpQLScOWdxkFVEgkmOypYpxiiqQS9Hkgh6Ad7DOL7N50yu5ExlVDA/viewform?usp=sf_link
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://docs.google.com/forms/d/e/1FAIpQLScOWdxkFVEgkmOypYpxiiqQS9Hkgh6Ad7DOL7N50yu5ExlVDA/viewform?usp=sf_link Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.