Office (OOXML) malware analysis — malicious · bd9342e491a6b764

MALICIOUS

Office (OOXML)

73.8 KB Created: 2020-11-17 06:57:52 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-22

MD5: 6372404dfc204dbff2279afb0a2ec514 SHA-1: 61ebcd0081a0326ef8ff4a2503c7febeef00ae4a SHA-256: bd9342e491a6b76452676faa3dbdb8165d36b847ebbf2376bb846992219b3437

70 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The OOXML document contains a clickable image designed as a phishing lure, directing users to an external Typeform URL. This suggests an attempt to collect user credentials or other sensitive data. While no VBA macros were explicitly extracted, the presence of OOXML heuristics implies potential for embedded scripting or macro functionality, often used for initial execution or payload delivery.

Heuristics 3

OOXML clickable image phishing/form lure critical OOXML_CLICKABLE_IMAGE_FORM_LURE

Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://dqj3kp1awjy.typeform.com/to/f045ee3z
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://dqj3kp1awjy.typeform.com/to/f045ee3z Document hyperlink

Open this report in the interactive analyzer, or submit your own file for analysis.