Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dc92da90b642e4f9…

MALICIOUS

Office (OOXML) / .XLSX

324.9 KB Created: 2001-08-29 09:40:27 UTC Authoring application: Microsoft Excel 12.0000
MD5: d087236fc006137adec1fe9947f9130b SHA-1: 0ec6fc0177ef2e5a32047e0113b5c34249621b34 SHA-256: dc92da90b642e4f9f8574cd27ee31086291da034a50c5267c447a158fccc0dbd
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The file is an OOXML document containing an embedded OLE object and external relationships, indicative of malicious intent. The document body presents itself as a shipping instruction or order confirmation, but includes a phone number (86-411-82812850-8595) and prompts the user to call back, which is a common tactic for callback phishing or tech-support scams. The presence of hidden sheets further suggests an attempt to conceal malicious content. No scripts were extracted, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 5

  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///\\esmad1ww00002\DataVstOrders\PEDIDOS DESDE SINGAPUR\2017\298337 WENZHOU PLEASURE TRADE COLTD 12000\COMM INV S80
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 4 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.kuehne-nagel.com
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9da7c3de1b9bd73b8f9318c778f2af8fa2cd52d08eb5135c286221b4ef2974c9		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 29184 bytes
ooxml_oleobject_01.bin
c16b36b2a8125b4628c6cef20853483ff23103161194efe3e8c8b8cde66897b6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 168960 bytes
emf_00.emf
46c643d82a64a44412f61da9da006df4aa6e784fe6530a06b14601bbcec49d4a		 ooxml-emf OOXML EMF part: xl/media/image6.emf 178400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.