Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 10a451f05034916a…

MALICIOUS

Office (OOXML)

46.1 KB Created: 2017-05-10 06:52:46 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-01-20
MD5: c1aa6a9f313aa8aef08dea84cb341ab1 SHA-1: ab2367f80b52f3c815c877a792f61555a961d40b SHA-256: 10a451f05034916aa66dae8ac8bc8b6b5a4e95408234940cafea2739760f4c36
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical ClamAV heuristic 'Doc.Exploit.CVE_2017_11882-6934206-0' strongly indicates exploitation of the CVE-2017-11882 vulnerability. This vulnerability is present in the Equation Editor OLE object, which was detected within the document. The document body appears to be tabular data, likely a lure, but the primary malicious functionality stems from the embedded exploit.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
SHA-256: e71fa2884c7a2ae7f01be1737732d5ae3b4f91ba66bd4f2449d64074f0f8e760
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.