Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 77fe0f0e3735e77e…

MALICIOUS

Office (OOXML)

170.6 KB Created: 2014-07-08 19:37:28 UTC Authoring application: Microsoft Macintosh Excel 16.0300
MD5: f40220cacb037c14420d25f5c22690d0 SHA-1: d6b2d223f3e9f47023817513c8e3ab8ad9fe7977 SHA-256: 77fe0f0e3735e77ebcd6246de094c421e760942e42f8bd14cf3386e20e89507e
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The document contains a lure instructing the user to enable editing and macros, a common tactic for malware droppers. It also contains multiple embedded URLs that are likely used to download and execute a secondary payload. The ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 6

  • ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: https://addto.password.land/XTjNkQ2RDdHJLMGxhTWtkM1JtaDBURFJNWWxka2FVNVRlbWhhUjJkalRrUm9abGxqUzJWcWQyeEdNelo0UVc1M1JETTJ
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://addto.password.land/XVEZOQ05FcDBTMDR2ZUdoV2FuWndOMlZTWlRSeFR6SjZRWFJSVkdsd1UxSmhSVEo2YUhGWVlXRkRNMWhzU1VWNVNIUndjMjF5U21SS05GZFdWQ3RWTWpOMmF6TXlURXROWTF
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://addto.password.land/XTjNkQ2RDdHJLMGxhTWtkM1JtaDBURFJNWWxka2FVNVRlbWhhUjJkalRrUm9abGxqUzJWcWQyeEdNelo0UVc1M1JETTJVR05FY0ZZdmRrVnJkV2cwV0dsaFVtcHNha3BIYjFWYWIwZFFVVkJuUzBGMmRXWlFiMWgwYzJ4V2F6UldialpUV0dSMGRGZExSVWs5TFMwMWJ6SnNUbTVDUVRoSGRVUllkakJrWmtwRGVETm5QVDA9LS1hNTA5ZGNhMzk4ZmY1NGJmYzk4MWV
    • https://addto.password.land/XVEZOQ05FcDBTMDR2ZUdoV2FuWndOMlZTWlRSeFR6SjZRWFJSVkdsd1UxSmhSVEo2YUhGWVlXRkRNMWhzU1VWNVNIUndjMjF5U21SS05GZFdWQ3RWTWpOMmF6TXlURXROWTF
    • https://addto.password.land/XVEZOQ05FcDBTMDR2ZUdoV2FuWndOMlZTWlRSeFR6SjZRWFJSVkdsd1UxSmhSVEo2YUhGWVlXRkRNMWhzU1VWNVNIUndjMjF5U21SS05GZFdWQ3RWTWpOMmF6TXlURXROWTFKTk9VRlVUVUptVDBjMk4zaHRlRFpOVW1KMlpYcEV
    • https://addto.password.land/XTjNkQ2RDdHJLMGxhTWtkM1JtaDBURFJNWWxka2FVNVRlbWhhUjJkalRrUm9abGxqUzJWcWQyeEdNelo0UVc1M1JETTJ
    • https://addto.password.land/XTjNkQ2RDdHJLMGxhTWtkM1JtaDBURFJNWWxka2FVNVRlbWhhUjJkalRrUm9abGxqUzJWcWQyeEdNelo0UVc1M1JETTJVR05FY0ZZdmRrVnJkV2cwV0dsaFVtcHNha3BIYjFWYWIwZFFVVkJuUzBGMmRXWlFiMWgwYzJ4V2F6Uld

Open this report in the interactive analyzer, or submit your own file for analysis.