Office (OOXML) malware analysis — malicious · 1463a2182b3cfb8e

MALICIOUS

Office (OOXML)

151.8 KB Created: 2018-10-13 21:56:52 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-05-16

MD5: f82f32acbe2bb31b72ddbd65e15c95ff SHA-1: a6af6311e6f51e89cfe887740c70b213f4942bff SHA-256: 1463a2182b3cfb8e744e694c1ad9dbd9f4b4ec82f0a85fd03db04794a30eff6b

200 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of an Equation Editor OLE object, which is a known exploit vector for CVE-2017-11882. The document also contains a lure to enable macros or editing, a common tactic for malware droppers. The ClamAV detection confirms the exploitation of CVE-2017-11882, indicating the file's purpose is to execute malicious code upon user interaction.

Heuristics 4

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	4096 bytes
SHA-256: `5b2d8d43ea06b26683f6d4584b5cff2cc477d0ec163107aec8a55fb96a9d1f39`
Detection ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.