Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 b8c96b6a4fffc12c…

MALICIOUS

Office (OOXML)

172.2 KB Created: 2014-07-08 19:37:28 UTC Authoring application: Microsoft Macintosh Excel 16.0300 First seen: 2021-06-13
MD5: f611cd224b625c5986080cff0837d0ba SHA-1: 606e69d6951445b34ad806f2e67d49cd0bfaa9c6 SHA-256: b8c96b6a4fffc12c4431fb3560a035eab0d68d18faf289054b2638e50b5784ab
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The file exhibits characteristics of a downloader, as indicated by the ClamAV detection and the presence of external URLs used for tracking and potentially downloading further payloads. The document body explicitly instructs the user to enable editing and macros, which is a social engineering tactic to bypass security measures and execute malicious content. The embedded URLs are likely used to track engagement and potentially serve a second-stage payload.

Heuristics 6

  • ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXR
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXR0YWNobWVudA== OOXML external relationship
    • http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5Document hyperlink
    • http://kn0wbe4.compromisedblog.com/XcmVljaXBpZWM50X2lkPTbQzNDY3DtMzE2gMCZjYW1woYWAlnbl9ydW5faWQ9MTg3zMjY5MyZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vc2VjdXJlZC1sb2dpbi5uZXQvcGFnZXMvZWQ1NTE1MjcwMDZiDocument hyperlink
    • http://kn0wbe4.compromisedblog.com/XcmVVjaXBpZWV50X2lkPTEQzNDY3EwMzE2yMCZjYW1wIYWOlnbl9ydW5faWQ9MTg3pMjY5MyZhY3Rpb249YXROOXML external relationship