On March 14, 2021, a security alert was triggered by a malicious file download attempt involving a macro-enabled document known as “INVOICE PACKAGE LINK TO DOWNLOAD.docm.” Analysis revealed that the file was flagged by numerous antivirus engines, indicating it contained known malware. The file was successfully blocked and quarantined, preventing any execution on the associated endpoint, NicolasPRD. Affected: endpoint security, malware detection, phishing campaigns.
Keypoints :
- A security alert (Event ID 76) was triggered for SOC137 – Malicious File/Script Download Attempt.
- The suspicious file was called “INVOICE PACKAGE LINK TO DOWNLOAD.docm”.
- The source IP address was 172.16.17.37, associated with the endpoint NicolasPRD.
- 41 out of 65 antivirus engines flagged the file as malicious on VirusTotal.
- The file was blocked and quarantined, preventing execution.
- A dynamic sandbox analysis confirmed the document contained a malicious macro.
- PowerShell commands were executed, suggesting a macro-based attack.
- There was no evidence of interaction with the malicious IP addresses post-block.
- The threat was confirmed as a true positive, necessitating no additional containment actions.
MITRE Techniques :
- PowerShell Execution (T1059.001): The document launched PowerShell.exe to execute commands.
- Command & Scripting Interpreter Abuse (T1059): Microsoft Word executed commands via PowerShell and Command Prompt.
- Malicious File Execution (T1204.002): Execution originated from MS Office, indicating unusual behavior.
- Shell Command Execution (T1059.003): Scripts were executed via the Windows Command Shell.
Indicator of Compromise :
- [IP Address] 172.16.17.37
- [File Hash] f2d0c66b801244c059f636d08a474079
- [IP Address] 178.175.67.109
- [IP Address] 188.114.96.0
- [IP Address] 188.114.97.0