Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b4fbcb58bdaf9eb1…

MALICIOUS

Office (OOXML)

195.8 KB Authoring application: 14.0300 First seen: 2021-11-22
MD5: 3b24797470c88ac79cd2c9c686410f1e SHA-1: 42406053473cd10212830506f138b658042dd9d6 SHA-256: b4fbcb58bdaf9eb1d0b9ba4a5d590ec7985df330cbe7715446335db2f29aa0ae
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The document contains heuristics indicating it lures the user into executing commands via the clipboard, specifically mentioning `rundll32.exe`, `the embedded link`, `Wscript.Shell`, and `MSXML2.XMLHTTP`. It also embeds multiple URLs that are likely used to download and execute a second-stage payload. The ClamAV detection as `Xls.Downloader.TrendMicroDridex0521-9860965-0` strongly suggests a downloader family, but specific attribution is not possible from the provided evidence.

Heuristics 4

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://damonica.com/webedit_includes/de/skins/default/m7OPEeyiZzqD.php In document text (OOXML body / shared strings)
    • https://tafaghodi.ir/resume/files/OKBWIjkslY8bOV.phpIn macro / runtime command snippet
    • https://website-demo.co.in/jthealthcare/wp-includes/css/dist/block-editor/KnSlPIeZi.phpIn document text (OOXML body / shared strings)
    • https://radiouranio.com/player_radio/jquery.lightbox/js/lightbox/themes/zagDA4cqUZOj.phpIn document text (OOXML body / shared strings)
    • https://hereweads.com/wp-content/plugins/woodmart-core/woodmart-core/importer/UZIk36xnY.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://loveworldprograms.org/videos/fontawesome/css/FHK2joBPEd.phpIn document text (OOXML body / shared strings)
    • https://momentsjo.com/COPYRIGHT/fUK6TkrF5j2dFc.phpIn document text (OOXML body / shared strings)