MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1204.002 User Execution: Malicious File
The file exhibits characteristics of a downloader, as indicated by the ClamAV detection and the presence of external URLs used for tracking and potentially downloading further payloads. The document body explicitly instructs the user to enable editing and macros, which is a social engineering tactic to bypass security measures and execute malicious content. The embedded URLs are likely used to track engagement and potentially serve a second-stage payload.
Heuristics 6
-
ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
-
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACONDocument references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
-
External relationship medium OOXML_EXTERNAL_RELExternal target in xl/drawings/_rels/drawing1.xml.rels: http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXR
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKSDocument contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXR0YWNobWVudA== OOXML external relationship
- http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5Document hyperlink
- http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvZWQ1NTE1MjcwMDZiDocument hyperlink
- http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXROOXML external relationship
Open this report in the interactive analyzer, or submit your own file for analysis.