Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a40f0158bfe072b2…

MALICIOUS

Office (OOXML)

36.3 KB Created: 2018-03-01 09:32:33 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2019-05-10
MD5: 6bc9ec1ea10a37e862b92272ed74bf89 SHA-1: 0429bc1a2f7852df1cb265d92327084bbd6951d6 SHA-256: a40f0158bfe072b2f2c227cf4cdee23f77ffb2dc89da95515e71c5218f754a14
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The critical heuristic indicates a malicious DDE link in an Excel file. This link executes a command that downloads a PowerShell script from http://185.189.12.57:8000/b.ps1 and then executes it. This is a common pattern for delivering second-stage malware. The document body appears to be a price list, likely used as a lure.

Heuristics 2

  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://185.189.12.57:8000/b.ps1 In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.