Xls.Downloader.Agent08210-9888570-0 Office (OOXML) malware analysis — malicious · 4db5fdb6b080471a

MALICIOUS

Office (OOXML)

251.0 KB Created: 2021-06-07 17:47:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-09-13

MD5: 2c5db7ff2f0bfc3195cc8c72d3164229 SHA-1: a166fa048e4486f02c4438f27b327c23d8e17de0 SHA-256: 4db5fdb6b080471acf0743275aa4129c93a52652a2cb5efc0771615310bae3eb

86 Risk Score

Malware Insights

Xls.Downloader.Agent08210-9888570-0 · confidence 95%

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The file is detected as Xls.Downloader.Agent08210-9888570-0 by ClamAV, indicating it is a downloader. The document body contains invoice-related language, and a heuristic identifies it as a fake invoice lure. It also contains an external hyperlink to 'https://mcrosoftsoffice365web.mfs.gg/xKs9le1', which is likely used to download a secondary payload.

Heuristics 5

ClamAV: Xls.Downloader.Agent08210-9888570-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Agent08210-9888570-0
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://mcrosoftsoffice365web.mfs.gg/xKs9le1
External workbook data link low OOXML_EXTERNAL_REL_DATALINK

External workbook reference in xl/pivotCache/_rels/pivotCacheDefinition1.xml.rels: JMS ENGINEERED PLASTICS INC_SOA_June.xlsx
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://mcrosoftsoffice365web.mfs.gg/xKs9le1 Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.