Office (OOXML) / .XLSX static analysis report

Static analysis result for SHA-256 d81bb59c49215231…

SUSPICIOUS

Office (OOXML) / .XLSX

138.5 KB Created: 2025-10-17 09:26:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-10-17
MD5: 0451402243dbfe6b937d86fab06477c8 SHA-1: 3df97a7118dfcfb5b3d30a9bcada31b252b39481 SHA-256: d81bb59c49215231d936a901c7da61fd380b93cc899f0ea9866df3d5f6b89fca
50 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The document contains external hyperlinks and references to PowerShell, indicating an attempt to execute commands or download additional content. The presence of CVE-2017-11882 in the extracted facts strongly suggests exploitation of this known vulnerability to achieve code execution. The document body appears to be a template for logging security test results, but the embedded exploit indicators point to a malicious use case.

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: https://www.virustotal.com/gui/file/c212ef2473a886e0bd18d88177fdc266f5a2ef20be35675eeca489fde2c42da2/detection
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.logpoint.com/en/blog/apt28s-new-arsenal-lamehug-the-first-ai-powered-malware In document text (OOXML body / shared strings)
    • https://www.aryaka.com/docs/reports/aryaka-kimsuky-apt-operational-blueprint.pdfIn document text (OOXML body / shared strings)
    • https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomwareIn document text (OOXML body / shared strings)
    • https://research.eye.security/sharepoint-under-siege/In document text (OOXML body / shared strings)
    • https://www.threatfabric.com/blogs/phantomcard-new-nfc-driven-android-malware-emerging-in-brazilIn document text (OOXML body / shared strings)
    • https://blog.polyswarm.io/castleloaderIn document text (OOXML body / shared strings)
    • https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runnerIn document text (OOXML body / shared strings)
    • https://www.cyfirma.com/research/phishing-attack-deploying-malware-on-indian-defense-boss-linuxIn document text (OOXML body / shared strings)
    • https://www.resecurity.com/blog/article/blue-locker-analysis-ransomware-targeting-oil-gas-sector-in-pakistanIn document text (OOXML body / shared strings)
    • https://blogs.jpcert.or.jp/en/2025/08/crossc2.htmlIn document text (OOXML body / shared strings)
    • https://www.seqrite.com/blog/winrar-directory-traversal-ntfs-ads-vulnerabilities-cve-2025-6218-cve-2025-8088/In document text (OOXML body / shared strings)
    • https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-082?utm_source=chatgpt.comIn document text (OOXML body / shared strings)
    • https://blog.fox-it.com/2025/09/01/three-lazarus-rats-coming-for-your-cheeseIn document text (OOXML body / shared strings)
    • https://op-c.net/blog/sap-cve-2025-31324-qilin-breach/In document text (OOXML body / shared strings)
    • https://www.seqrite.com/blog/operation-barrelfire-noisybear-kazakhstan-oil-gas-sector/In document text (OOXML body / shared strings)
    • https://www.ctfiot.com/267223.htmlIn document text (OOXML body / shared strings)
    • https://unit42.paloaltonetIn macro / runtime command snippet
    • https://www.virustotal.com/gui/file/5c91452e70c63bfeb9c9cabbe6e1bcf1b1370e073d862f6b352215107a026caa/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/5d48e4b4a8d0c4e355e6b29a97e1c5faf8a249e59faf6fdc84eb125b0190112c/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/62bdf5a2661e50bae63e1cafb13ca6cd1c3356aea3be9e410c5c2840b6596539/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/864f07a42d58fbcc4dbf42348a35b5f9ecc962af7b50ced604610687e0cfb912/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/969a6e2c815ab0fb0a8929065c01d1f6248fb0c7c593c803ad7b7e0bfdfb4196/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/c5227164828dad4c1c6ad30d8e13f4d9a8d78f0114b632bbedc93b416bb32773/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/cc7d23b8bc0f9f9f8e448f5ac5611e8e3b08634b089278ad0360fd6ffa1a8a4f/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/d4b7eb9a665faf131780b3407f6490449656aee8c740fdf4fabd1e82bbf5ff8b/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/da31a0683fd246b645a0c96e86704455dd41acd33aec2e74ee0fd24381c6732e/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/17a5ef0c50e4c9ae5e65e0fe40c8f4d5ce1a8d8bf712c5b07f89554f5c4a6724/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/f8a9a59d8efad40ee9bf758c12348cc2f9b9f0ae43d81bf369d8b5b2ece18df7/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/ed1fdde761a50db87fdafe5fecf9dcb2a830c4947ab5381440091c65b1176fec/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/0bdf8f00765e752976bd0acc9d07752af154bee414a7a541b2758d2e4832e085/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/176414d5856336826e67ce45f3246b6d22a7484529025e7528062f008672254c/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/17957e04b5483926cb4188ed295877ff661b50b552161473aeaf64e289b78808/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/1b888b735b3947084309a6518f6f500e390d20cc201b9ad56c1bfca7ff184e89/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/1cc2b818da6215e8aba3b547bfd364836aeaf3d38788497fed41f143de7a2f5c/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/234e31dda6597ef140c094f8b4f3799400b2f6d72c727fbce9b76e557063aa14/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/27ac1c103432f39b1329dc11346168557ace1e1627cccdd40ec15ee531b2062f/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/2b18b1266a339af1c9a5fec6dfb53128dcb3249229bcff2dfa750d0fcc618e8e/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/436af57dcaa05241c2bf2f84f0a7441958bb7480f2a002c0665eb2a683fd91bd/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/55d125e40c2078db1ef23a9382d4adeb367ec09a1a833dd290c68d5134935b8d/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/8397d81d54d8c5eaefa996dc130ae0849d381ea5e9b4802beb41f4bef3ff4d56/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/8fc373db0fda5cd6d64386659eee7fde3d1f9d8399041b2871348a78a0ed843a/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/99abc567dab209b2244215f30a0657e67b312513489502744ee585e4b06c1c95/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/9a2528cdb2456211ee02fc087673e61641075e9200910f0797552c69d6b6a1bb/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/9a9ac873012fd363b96939681600ec9dfcb72b38b5f0bd10de8bada0cab1c0f9/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/b5779aca551e576074c4a121cdaef7324c360fc409b5e654666215a2020e937f/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/ba2dd3cc3a8f9c827126889cc706b4dadd56ac363ab42254cfa849968d4c1b67/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/c212ef2473a886e0bd18d88177fdc266f5a2ef20be35675eeca489fde2c42da2/detectionDocument hyperlink
    • https://www.virustotal.com/gui/file/174c17a4285bbf180de13016c93e95629287f3f1fb66642063d77305dafe998e/detectionIn document text (OOXML body / shared strings)
    • https://www.virustotal.com/gui/file/c6ab1f89f15545d8a7c05f0f172ad8a681262fe8c71574e2df989c0ca3de5311/detectionIn document text (OOXML body / shared strings)
    +663 more URL(s)