Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d92747cbda8e69b4…

MALICIOUS

Office (OOXML)

195.9 KB Authoring application: 14.0300 First seen: 2021-11-22
MD5: def616c5f3333f86da0d569fe6b123a6 SHA-1: cd597f18d589e02cfd6b4f2be62639e9eb7ec050 SHA-256: d92747cbda8e69b487b6f33f882423d3bcae6e7c3fc1ea891b038bc9a4816e5f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1218.011 System Binary Proxy Execution: Rundll32

The file contains embedded URLs and a sequence of commands that suggest it attempts to download and execute a second-stage payload. Specifically, the document body contains references to 'rundll32.exe' and 'Wscript.Shell' along with multiple URLs, indicating a downloader functionality. The ClamAV detection as 'Xls.Downloader.TrendMicroDridex0521-9860965-0' further supports this assessment.

Heuristics 3

  • ClamAV: Xls.Downloader.TrendMicroDridex0521-9860965-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.TrendMicroDridex0521-9860965-0
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://adventphilomels.org/wp-includes/sodium_compat/src/Core32/ChaCha20/ecbCQtOlK8wLZzY.php In macro / runtime command snippet
    • https://multigranos.com.bo/wp-content/plugins/woocommerce/i18n/languages/xRrL7GcQN0.phpIn document text (OOXML body / shared strings)
    • https://kpleads.com/kpleads.ali/wp/wp-includes/js/codemirror/FA0MND35N.phpIn document text (OOXML body / shared strings)
    • https://gulfbeautygt.com/images/byaLcZQlkP5.phpIn document text (OOXML body / shared strings)
    • https://sitonyourassandmakemoney.com/wp-content/plugins/cartflows/theme-support/astra/sOR3qwEjQh3.phpIn document text (OOXML body / shared strings)
    • https://meaamarelmorshedy.com/cpx_admin/plugins/ckeditor/skins/moono/dla4Okf7bQ3.phpIn document text (OOXML body / shared strings)
    • https://lifezhonour.com/backup-11-06-2020/vendor/phpmailer/phpmailer/language/kuVnna5b5FX3Hps.phpIn document text (OOXML body / shared strings)
    • https://wypozyczalnia-dragon.pl/libraries/fof/integration/joomla/filesystem/v566mU4QOL0.phpIn document text (OOXML body / shared strings)
    • https://smarttechbv.com.br/wp-content/plugins/wp-fastest-cache/css/fonts/5kbCoM4jSnAI.phpIn document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.