Phishing Wave - file P-ORD-C-10156-124658.xls

Hunt Hypothesis

Adversaries may be using this file as part of a phishing wave to compromise user credentials and spread malware. SOC teams should proactively hunt for this behavior to identify and mitigate potential credential theft and lateral movement in their Azure Sentinel environment.

YARA Rule

rule PHISH_02Dez2015_attach_P_ORD_C_10156_124658 {
	meta:
		description = "Phishing Wave - file P-ORD-C-10156-124658.xls"
		author = "Florian Roth"
		reference = "http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/"
		date = "2015-12-02"
		hash = "bc252ede5302240c2fef8bc0291ad5a227906b4e70929a737792e935a5fee209"
	strings:
		$s1 = "Execute" ascii
		$s2 = "Process WriteParameterFiles" fullword ascii
		$s3 = "WScript.Shell" fullword ascii
		$s4 = "STOCKMASTER" fullword ascii
		$s5 = "InsertEmailFax" ascii
	condition:
		uint16(0) == 0xcfd0 and filesize < 200KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a legitimate Excel file (P-ORD-C-10156-124658.xls) as part of a scheduled maintenance job.
  Filter/Exclusion: Check for the presence of powershell.exe in the process tree and exclude processes initiated by the admin’s scheduled task or service account.

• Scenario: A SQL Server Agent Job is configured to export data to an Excel file (P-ORD-C-10156-124658.xls) for reporting purposes.
  Filter/Exclusion: Filter out file creation events originating from SQL Server Agent jobs or processes with sqlservr.exe in the parent process chain.

• Scenario: A Windows Task Scheduler job is configured to run a script that generates a temporary Excel file (P-ORD-C-10156-124658.xls) for internal data processing.
  Filter/Exclusion: Exclude events where the file is created by a task with a known name or by a user account associated with internal automation tools.

• Scenario: A Power BI report is scheduled to export data to an Excel file (P-ORD-C-10156-124658.xls) for sharing with stakeholders.
  Filter/Exclusion: Filter out file creation events that occur from Power BI services or processes associated with the Power BI Desktop or Server.

• Scenario: A backup tool like Veeam or Commvault is configured to archive an Excel file (P-ORD-C-10156-124658.xls) as part of a daily backup routine.
  Filter/Exclusion: Exclude file creation events that originate from backup processes or services associated with the backup tool’s execution