Office (OOXML) malware analysis — malicious · c900a2820b42c126

MALICIOUS

Office (OOXML)

9.7 KB Created: 2018-09-26 00:28:18 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-05-16

MD5: fefa5018f7ed450a1b39126bc4ca3d85 SHA-1: 0999cc6793f882cad765bbe8286a73d434e9483d SHA-256: c900a2820b42c12669aadeb459e0459ef08d655cc6f97073a4128920d6e4473f

122 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The critical heuristic firing indicates a malicious DDE link within the spreadsheet. This link is configured to execute a PowerShell command that downloads and runs the 'powercat.ps1' script from a GitHub repository. The script is then used to establish a connection to '192.168.253.132' on port 443, executing a command shell. This indicates the document is a malicious attachment designed to download and execute a second-stage payload.

Heuristics 3

ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1 In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.