Office (OOXML) malware analysis — malicious · f50e6b2e176faab6

MALICIOUS

Office (OOXML)

9.9 KB Created: 2021-11-02 10:30:24 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-11-23

MD5: 567f002ee119ee7a5c14f359c7036119 SHA-1: 2690c90983bb01554c36742a7146964455c0395d SHA-256: f50e6b2e176faab6040ab8f7106e716ebb6e133b4ba46c2fcce5d35e859bfba3

62 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample contains a malicious DDE link within an Excel spreadsheet, specifically targeting the execution of cmd.exe. This command is designed to download a payload from the provided URL using wget and save it as 'a.exe' via a PowerShell script 'b.ps1'. The DDE execution is a direct attempt to achieve client-side execution of arbitrary commands.

Heuristics 2

Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://tinyurl.com/y88r9epk In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.