Win.Malware.LNKAgent-10043840-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 541056e7746eef1c…

MALICIOUS

Office (OOXML)

19.0 KB Created: 2018-11-03 15:16:32 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-04-21
MD5: eb484938653073a6f47e1d5a04ceb8a9 SHA-1: 213a48a25b179c83f13bd803298fa7913aa8fc65 SHA-256: 541056e7746eef1ce37cddfbcfbdc8d20c7eba05e855ca030f50062babdf1082
142 Risk Score

Malware Insights

Win.Malware.LNKAgent-10043840-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is detected as Win.Malware.LNKAgent-10043840-0 and contains an embedded OLE object, indicating a malicious payload. The document body attempts to lure the user to the URL https://cryptotrendz.com/ by promising cryptocurrency trading signals, which is a common social engineering tactic. The embedded OLE object likely contains the malicious payload.

Heuristics 3

  • ClamAV: Win.Malware.LNKAgent-10043840-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.LNKAgent-10043840-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cryptotrendz.com/ In document text (OOXML body / shared strings)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
SHA-256: b687801fd1bd427009bcb9d03ed34e2d19556e6a030948d078b103d7afd9534a
Detection
ClamAV: Win.Malware.LNKAgent-10043840-0
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2189 bytes
SHA-256: a828ab862e1a0bde75e9d701de5451744cc71f103f1ac9ef7e1cf84f9b6ef4e1
Detection
ClamAV: Win.Malware.LNKAgent-10043840-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 5076 bytes
SHA-256: 2bc82f2a93ab713f57d97027ab452d5efdd2da1302d5e7307a8f09498baeddfe