MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The file is an Excel document that uses a social engineering lure to convince the user to enable content, likely to execute a malicious payload. Heuristics indicate that the document package drops an executable file named 'http193.26.217.221zxrssidin.exe.vbs', which is likely a VBScript downloader. The presence of 'SC_STR_WSCRIPT' heuristic further supports the execution of a script via Windows Script Host.
Heuristics 4
-
ClamAV: Xls.Dropper.Agent-1871571 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Dropper.Agent-1871571
-
Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILEOLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ole10native_00.bin |
ole-package | OLE Ole10Native stream: MBD03331D2E/Ole10Native | 8609 bytes |
SHA-256: f6c4d549b3d16f822618a84980ff1549801c17bb00ae197c7e66f46378a9a720 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis recovered command string(s): WScript.Shell").Run(""& oulhnuxsrrvvhzm &""),0A
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.