Office (OOXML) malware analysis — malicious · bfd63f060e47cafc

MALICIOUS

Office (OOXML)

170.6 KB Created: 2014-07-08 19:37:28 UTC Authoring application: Microsoft Macintosh Excel 16.0300 First seen: 2021-10-31

MD5: 7b6997bf3db1b9b7fc6b5ef978a86a55 SHA-1: e07461c417c81dc89aff325c362e393c1e654c44 SHA-256: bfd63f060e47cafc86df26cf0e8368a48c637b6aeb3aac57776c9eb5d1ccf73d

130 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File: User Execution T1059.005 Visual Basic

The document contains a lure instructing the user to enable editing, a common tactic for macro-enabled malware. Heuristics indicate the presence of remote image beacons and external relationships, all pointing to a URL that likely serves as a download source for a second-stage payload. The ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 6

ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON

Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
External relationship medium OOXML_EXTERNAL_REL

External target in xl/drawings/_rels/drawing1.xml.rels: https://cardpayments.microransom.us/XTnpGalJ6RnpjR3M1ZVRodlRHZ3lOazByVnpGUFJucFhSVlEyUjNSaGJXMTFWRkZGUWpGR09FZG5WUzh2WVV
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS

Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://cardpayments.microransom.us/XYkRKRFoyMXdXbFppYVVGVFluRXZhSEJtUW14R1pXOW1hR2wxTTBSVk9YSXZMMGQ2VUVWemQweDRiWGQzYlZOTU9HVjZUVTk2Wm1sa1lWSjJXVGR0T1VwR2NFMUx
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://cardpayments.microransom.us/XTnpGalJ6RnpjR3M1ZVRodlRHZ3lOazByVnpGUFJucFhSVlEyUjNSaGJXMTFWRkZGUWpGR09FZG5WUzh2WVVGaVl6bHhTRVJaUTJ0bFFrTTRRMEZDVGswd1JEWTNXWHBDZW1sSWFGSklVMVpoWkZKa05WUkdXWG94WVdsNWRIRTVSR1pyWWxCSVdVSTJWV005TFMxVVduQkVkSGczWlVOcWVIZGFNMWhRUkhOSFpUbG5QVDA9LS1mMTNhNWRlYTZkNmQ0ODU In document text (OOXML body / shared strings)
- https://cardpayments.microransom.us/XYkRKRFoyMXdXbFppYVVGVFluRXZhSEJtUW14R1pXOW1hR2wxTTBSVk9YSXZMMGQ2VUVWemQweDRiWGQzYlZOTU9HVjZUVTk2Wm1sa1lWSjJXVGR0T1VwR2NFMUxDocument hyperlink
- https://cardpayments.microransom.us/XYkRKRFoyMXdXbFppYVVGVFluRXZhSEJtUW14R1pXOW1hR2wxTTBSVk9YSXZMMGQ2VUVWemQweDRiWGQzYlZOTU9HVjZUVTk2Wm1sa1lWSjJXVGR0T1VwR2NFMUxiSHB5VVZnMlZsUk9NVUpGUjNGWlVXMUZkRlZhY1RDocument hyperlink
- https://cardpayments.microransom.us/XTnpGalJ6RnpjR3M1ZVRodlRHZ3lOazByVnpGUFJucFhSVlEyUjNSaGJXMTFWRkZGUWpGR09FZG5WUzh2WVVOOXML external relationship
- https://cardpayments.microransom.us/XTnpGalJ6RnpjR3M1ZVRodlRHZ3lOazByVnpGUFJucFhSVlEyUjNSaGJXMTFWRkZGUWpGR09FZG5WUzh2WVVGaVl6bHhTRVJaUTJ0bFFrTTRRMEZDVGswd1JEWTNXWHBDZW1sSWFGSklVMVpoWkZKa05WUkdXWG94WVdOOXML external relationship

Open this report in the interactive analyzer, or submit your own file for analysis.