Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 649df0fc7018fc42…

MALICIOUS

Office (OOXML)

163.9 KB First seen: 2021-07-02
MD5: 3ff667643f97204e85d93ec517b9f745 SHA-1: 3b429755ee03a5458f472dc22aa0dec37af8675b SHA-256: 649df0fc7018fc4293d224ab1df9264be5b0b35ab5c2601136f7a1130fb9dd88
62 Risk Score

Heuristics 2

  • Excel 4.0 macro hidden in a regular worksheet part critical OOXML_XLM_MACRO_IN_WORKSHEET
    Workbook declares an Auto_Open / Auto_Close defined name and stores Excel 4.0 (XLM) download/execute logic inside parts declared as normal worksheets — there is no xl/macrosheets/ part or xlMacrosheet relationship, so structural XLM detectors that trust the macro-sheet content type miss it. Resolved WinAPI download/exec strings (URLDownloadToFile / ShellExecute) sit directly in worksheet cells. This is the OOXML XLM auto-execution surface in disguise, a 2021-era evasion used by builders such as AsHkERE/EZHE.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wmwifbajxxbcxmucxmlc.com/files/april24.dll Referenced by macro