Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 db2692abbf13ced7…

MALICIOUS

Office (OOXML)

172.2 KB Created: 2014-07-08 19:37:28 UTC Authoring application: Microsoft Macintosh Excel 16.0300 First seen: 2019-09-30
MD5: ee9f7f705b0c3f703a83da087c308782 SHA-1: 455fd7a274aab68c52e034c65fc80bc95470aeb6 SHA-256: db2692abbf13ced7e3511637bc8aab3a6a25782c30d53e71c4652a164a34680e
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The file is identified as malicious by ClamAV and exhibits characteristics of a downloader. It contains a lure instructing the user to enable editing, and it embeds external URLs that are likely used to fetch a secondary payload. The presence of a remote image beacon and external hyperlinks further supports its malicious intent.

Heuristics 6

  • ClamAV: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-b333b3b333898c4c-b333b3b333898c4c-9950284-0
  • Remote image (web beacon / tracking pixel) medium OOXML_IMAGE_BEACON
    Document references an external image URL — loads automatically on open, revealing IP address and timestamp to the server (used for phishing tracking and NTLM hash theft on corporate networks)
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/drawings/_rels/drawing1.xml.rels: http://kn0wbe4.compromisedblog.com/XcmVqjaXBpZWm50X2lkPTRM4OTE0aDNTUxLOCZjYW1wHYWblnbl9ydW5faWQ9MTUzoNDgyNCZhY3Rpb249YXR
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://kn0wbe4.compromisedblog.com/XcmVfjaXBpZWz50X2lkPTWM4OTE0AxNTUxpOCZjYW1wQYWUlnbl9ydW5faWQ9MTUzYNDgyNCZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vdHJhaW5pbmcua25vd2J
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kn0wbe4.compromisedblog.com/XcmVqjaXBpZWm50X2lkPTRM4OTE0aDNTUxLOCZjYW1wHYWblnbl9ydW5faWQ9MTUzoNDgyNCZhY3Rpb249YXR0YWNobWVudA== OOXML external relationship
    • http://kn0wbe4.compromisedblog.com/XcmVfjaXBpZWz50X2lkPTWM4OTE0AxNTUxpOCZjYW1wQYWUlnbl9ydW5faWQ9MTUzYNDgyNCZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vdHJhaW5pbmcua25vd2JlNC5jb20vcGFnZXMvZThlMzNkYjRhYWVmDocument hyperlink
    • http://kn0wbe4.compromisedblog.com/XcmVfjaXBpZWz50X2lkPTWM4OTE0AxNTUxpOCZjYW1wQYWUlnbl9ydW5faWQ9MTUzYNDgyNCZhY3Rpb249Y2xpY2smdXJsPWh0dHBzOi8vdHJhaW5pbmcua25vd2JDocument hyperlink
    • http://kn0wbe4.compromisedblog.com/XcmVqjaXBpZWm50X2lkPTRM4OTE0aDNTUxLOCZjYW1wHYWblnbl9ydW5faWQ9MTUzoNDgyNCZhY3Rpb249YXROOXML external relationship

Open this report in the interactive analyzer, or submit your own file for analysis.