Xls.Downloader.Agent08210-9888570-0 — Office (OOXML) malware analysis

Static analysis result for SHA-256 d13650c323f47086…

MALICIOUS

Office (OOXML)

247.4 KB Created: 2020-12-08 15:40:16 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-07
MD5: 1f98f0fdececde1f869f95053dd3d3a0 SHA-1: 7d3223f697f3226c808f4b89b5fd413e05985383 SHA-256: d13650c323f47086387e59461e08d84d4c7091b17ca5456226b3a7b8ba6e3143
90 Risk Score

Malware Insights

Xls.Downloader.Agent08210-9888570-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The critical ClamAV heuristic identifies the file as Xls.Downloader.Agent08210-9888570-0, a known downloader. The OOXML_CLICKABLE_IMAGE_FORM_LURE heuristic indicates the presence of a phishing lure using an image, which directs the user to the external URL. This URL is likely used to download and execute a secondary payload.

Heuristics 4

  • ClamAV: Xls.Downloader.Agent08210-9888570-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Agent08210-9888570-0
  • OOXML clickable image phishing/form lure medium OOXML_CLICKABLE_IMAGE_FORM_LURE
    Workbook uses a large embedded image as the visible document body and attaches a click-through external hyperlink to that image. The target is a form/collection service or the drawing contains download/view lure text, which is a common credential or document-phishing pattern rather than benign workbook data.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://893434782.mfs.gg/-cUySDN
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://893434782.mfs.gg/-cUySDN Document hyperlink