Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b5b7acfc637ebff4…

MALICIOUS

Office (OOXML)

10.2 KB Created: 2021-01-13 13:39:35 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-13
MD5: e0625ac4fe475632ad8e95dab1359ce3 SHA-1: e19a8481b33cc3210cb4e519b699d1988cc5355c SHA-256: b5b7acfc637ebff43b13cbc61dea9102ef7c8058a6d307bf7f9502fd10b965a5
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The OOXML document contains a clickable image designed as a phishing lure, directing the user to an external form. This technique is commonly used to harvest credentials or deliver further malicious content. No scripts were extracted, and the primary IOC is the external URL used in the lure.

Heuristics 3

  • OOXML clickable image phishing/form lure critical OOXML_CLICKABLE_IMAGE_FORM_LURE
    Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://snll7f5mnfm.typeform.com/to/VmZKroHz
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://snll7f5mnfm.typeform.com/to/VmZKroHz Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.