Office (OOXML) / .XLSX static analysis report

Static analysis result for SHA-256 8fe0f4dbaa8421f6…

SUSPICIOUS

Office (OOXML) / .XLSX

367.8 KB Created: 2017-01-13 05:59:08 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-04-02
MD5: b52abc598ca5632c53c6b7f6f2b42d0f SHA-1: 92e214cf376678ef8b574d90cf3226b4e245eefa SHA-256: 8fe0f4dbaa8421f60a885e86031a02f2a6184aca4091768aa0ceea50ba920b30
38 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing financial data, which is a common lure for phishing attacks. It includes an external hyperlink to a financial institution's domain, potentially directing users to a phishing site. The presence of hidden sheets and external data links suggests an attempt to conceal malicious activity or facilitate data exfiltration.

Heuristics 4

  • External workbook data link medium OOXML_EXTERNAL_REL_DATALINK
    External workbook reference in xl/externalLinks/_rels/externalLink8.xml.rels: file:///R:\GAS 2002\ANALISIACQUISTI2002.xls — a UNC/file path; opening the workbook and updating links could leak NetNTLM credentials to the host
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: mailto:matthew.lofting@jpmorgan.com
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.jpmorganmarkets.com Document hyperlink
    • https://webcast.shell.com/guest/Document hyperlink
    • http://www.apple.com/DTDs/PropertyList-1.0.dtdDocument hyperlink
    • http://ns.adobe.com/xap/1.0/Document hyperlink
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Document hyperlink
    • http://purl.org/dc/elements/1.1/Document hyperlink
    • http://ns.adobe.com/xap/1.0/mm/Document hyperlink
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#Document hyperlink
    • http://ns.adobe.com/photoshop/1.0/Document hyperlink
    • http://ns.adobe.com/tiff/1.0/Document hyperlink
    • http://ns.adobe.com/exif/1.0/Document hyperlink
    • http://www.iec.chDocument hyperlink