Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 015ba95e955d41b5…

MALICIOUS

Office (OOXML)

624.9 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-14
MD5: 38a10695ad40e9eaf3462430aff11166 SHA-1: 7e15a0e3e7654ca77559cd30174d12c5c373c11b SHA-256: 015ba95e955d41b512823e5b36fb7ccfc0c19ec627adcd82dd4f9f6d66d88b26
282 Risk Score

Heuristics 6

  • CVE-2018-0802 — Equation Editor SIZE record overflow critical CVE likely CVE_2018_0802
    Equation Editor MTEF contains an exploit-sized SIZE record, the vulnerable parser path described for CVE-2018-0802. This is stronger evidence than Equation Editor activation alone because it identifies the malformed SIZE record primitive.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Downloader.Formbook-bc97c1e0c33c3c93-9951465-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Formbook-bc97c1e0c33c3c93-9951465-0
  • MTEF SIZE record has implausibly large value high OLE_MTEF_SIZE_RECORD_ANOMALY
    Equation Editor MTEF SIZE record declares an explicit point size or delta far beyond legitimate equation text. CVE-2018-0802 abuses the SIZE parsing path; this catches that structural record shape without relying on a fixed ROP payload.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 56320 bytes
SHA-256: 2d8b8baf58e46ffa003d46417aa1f3e8fefea055c4ebe9998b8a3828010d9324
Detection
ClamAV: Doc.Downloader.Formbook-bc97c1e0c33c3c93-9951465-0
Obfuscation or payload: likely
Carved artifact entropy is 7.54, consistent with packed or encrypted content.
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1587712 bytes
SHA-256: b77ee1df9e099ff083a1d852daf9f9e79fa95a7245069583738097fe1862fe48
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1572612 bytes
SHA-256: d85009cb0f9a593892012a4df8d74182d2ae8fe27d01b2e6029a2b2c0c8b8d19
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 109568 bytes
SHA-256: fc5bbc4fe0f23d2a1bb3e1baec2f276f7773c454ae8fd8c7ab162b836a4b0b81
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 1099960 bytes
SHA-256: 11c384c58fa2bcdd3de3f162207a933a028d14c1e3aa81f9ca36e980f479528b
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 3145608 bytes
SHA-256: 78c2466c6539c3c9aecc57dd4b2ea6303724eeaef9925fc568c6da8fc6efde19

Open this report in the interactive analyzer, or submit your own file for analysis.