MALICIOUS
82
Risk Score
Heuristics 3
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Remote-support tool lure high SE_REMOTE_SUPPORT_LUREDocument instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml In document text (OOXML body / shared strings)
- https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/In document text (OOXML body / shared strings)
- https://github.com/SigmaHQ/sigma/issues/4876In document text (OOXML body / shared strings)
- https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/In document text (OOXML body / shared strings)
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.mdIn document text (OOXML body / shared strings)
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-toolingIn document text (OOXML body / shared strings)
- https://github.com/SigmaHQ/sigma/pull/4467In document text (OOXML body / shared strings)
- https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows10/1903/W10_1903_Pro_20200714_18362.959/WEPExplorer/Microsoft-Windows-WindowsUpdateClient.xmlIn document text (OOXML body / shared strings)
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.mdIn document text (OOXML body / shared strings)
- https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170eeIn document text (OOXML body / shared strings)
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015In document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingCanvasIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/drawing/2014/chartexIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/markup-compatibility/2006In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2012/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2015/wordml/symexIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingGroupIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingInkIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2010/wordprocessingShapeIn document text (OOXML body / shared strings)
- https://learn.microsoft.com/en-us/windows/win32/msi/event-loggingIn document text (OOXML body / shared strings)
- https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.htmlIn document text (OOXML body / shared strings)
- https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/In document text (OOXML body / shared strings)
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.htmlIn document text (OOXML body / shared strings)
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applockerIn document text (OOXML body / shared strings)
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applockerIn document text (OOXML body / shared strings)
- https://learn.microsoft.com/en-us/windows-In document text (OOXML body / shared strings)
- https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/In document text (OOXML body / shared strings)
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-In document text (OOXML body / shared strings)
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321aIn document text (OOXML body / shared strings)
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-In document text (OOXML body / shared strings)
Open this report in the interactive analyzer, or submit your own file for analysis.