Xls.Downloader.Agent08210-9888570-0 Office (OOXML) malware analysis — malicious · 492ec36346698943

MALICIOUS

Office (OOXML)

247.4 KB Created: 2020-12-08 15:40:16 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-07

MD5: 97c5e53aab1ef19141fb388cdc8eddd4 SHA-1: 158b3c49357d849b2f7f72fe26a852c09281179e SHA-256: 492ec36346698943f0babbce623db2d25bcbf9ea582859f34bf190c9b62189dc

90 Risk Score

Malware Insights

Xls.Downloader.Agent08210-9888570-0 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is identified as malicious by ClamAV with the signature Xls.Downloader.Agent08210-9888570-0. It contains a clickable image designed as a lure, directing the user to the external URL https://sevicemicrosofts.mfs.gg/6EzDcyw. This URL is likely used to download and execute a secondary malicious payload.

Heuristics 4

ClamAV: Xls.Downloader.Agent08210-9888570-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Agent08210-9888570-0
OOXML clickable image phishing/form lure medium OOXML_CLICKABLE_IMAGE_FORM_LURE

Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://sevicemicrosofts.mfs.gg/6EzDcyw
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://sevicemicrosofts.mfs.gg/6EzDcyw Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.