Office (OOXML) malware analysis — malicious · c23d91392dbdb371

MALICIOUS

Office (OOXML)

9.2 KB Created: 2018-01-27 23:15:49 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-26

MD5: 6239799852966085ab37115c2ad3b801 SHA-1: 49d7207e448d5d5bb544f2972fe1b7f06c09a8a0 SHA-256: c23d91392dbdb371d576d66c073b9482401d61e7bc7692e284c66005d3a37948

62 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an OOXML spreadsheet that contains a malicious DDE link. This link is configured to execute mshta with a remote HTA file from http://3.12.41.114/Joker/Joker.hta. The HTA file is likely a JavaScript payload designed to download and execute further malicious content, indicating a downloader or droppper functionality.

Heuristics 2

Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://3.12.41.114/Joker/Joker.hta In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.