Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c34f218815b93bbf…

MALICIOUS

Office (OOXML)

195.9 KB Authoring application: 14.0300 First seen: 2021-06-04
MD5: 70af203b4d524055c787054301571045 SHA-1: ba6d1bc5b1b2cc59722ea65dac4d22d447e99413 SHA-256: c34f218815b93bbff150bb1cff377010f5b8b25425e8ca20ec3c17cfb479fe3d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The file contains embedded URLs and a sequence of commands that suggest it attempts to download and execute a second-stage payload. Specifically, the document body contains references to 'rundll32.exe' and 'Wscript.Shell' along with multiple URLs, indicating a downloader functionality. The ClamAV detection as 'Xls.Downloader.TrendMicroDridex0521-9860965-0' further supports this assessment.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In macro / runtime command snippet
    • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
    • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
    • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
    • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
    • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
    • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.