MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File: User Execution
T1566.002 Phishing: Spearphishing Attachment
The sample exploits CVE-2024-21413, a vulnerability related to Moniker Link UNC paths in OOXML files. It uses external relationships pointing to UNC paths, likely to trick users into opening a malicious Excel file. The presence of hidden worksheets further suggests an attempt to conceal malicious content. The sample also contains embedded URLs, one of which points to a potentially internal resource.
Heuristics 4
-
CVE-2024-21413 — Moniker Link UNC path in OOXML critical CVE likely CVE_2024_21413Document contains a file:///\\...! hyperlink matching the Moniker Link shape associated with CVE-2024-21413. In affected Office/Outlook paths this can bypass Protected View and trigger NTLM authentication.
-
External relationship high OOXML_EXTERNAL_RELExternal target in xl/externalLinks/_rels/externalLink1.xml.rels: file:///\\Byd01app0004\s-5\Documents and Settings\Jarek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\MTJWP0Z6
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 7 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://stranet.strabag.com/Moje
- http://notespol06/WINDOWS/TEMP/Apo.xls
- https://budimex-my.sharepoint.com/ARCHIVIO
Open this report in the interactive analyzer, or submit your own file for analysis.