Xls.Downloader.Agent08210-9888570-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 b84b2c63d4a11cfc…

MALICIOUS

Office (OOXML)

251.1 KB Created: 2021-06-07 17:47:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-08-25
MD5: fcb6bfa0e42711ec0f4f6332c717f429 SHA-1: 4593bdab12bbf1e524c6d5dc093213cae28ca191 SHA-256: b84b2c63d4a11cfcd1f1902fb29e72789265b4233ac38080c83da6365f7d4079
86 Risk Score

Malware Insights

Xls.Downloader.Agent08210-9888570-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The file is detected as Xls.Downloader.Agent08210-9888570-0 by ClamAV. It contains a fake invoice lure, suggesting a phishing attempt. The document includes an external hyperlink to 'https://dock.constantcontactsites.com/', which is likely used to deliver a secondary payload.

Heuristics 5

  • ClamAV: Xls.Downloader.Agent08210-9888570-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Agent08210-9888570-0
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://dock.constantcontactsites.com/
  • External workbook data link low OOXML_EXTERNAL_REL_DATALINK
    External workbook reference in xl/pivotCache/_rels/pivotCacheDefinition1.xml.rels: /Users/goods/Downloads/JMS ENGINEERED PLASTICS INC_SOA_June.xlsx
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dock.constantcontactsites.com/ Document hyperlink