Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 03b80532522a111e…

MALICIOUS

Office (OOXML)

27.3 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-11-20
MD5: 3b723e8feb897e16880e663a96210d5f SHA-1: 055a3dd797bae121381b32aeccd02705e146dbf5 SHA-256: 03b80532522a111e1163be953536079ba02ace8c75d662b51a110f4a43739256
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing indicates a DDE link within the spreadsheet is configured to execute a command. This command uses certutil to download and execute two files, 'mcafeeupdate.exe' and 's.exe', from the provided S3 URL. The execution of these downloaded files is the primary malicious action.

Heuristics 2

  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://s3.amazonaws.com/gtdsinc/&certutil In document text (OOXML body / shared strings)