Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 1db297cf6e3e3288…

MALICIOUS

Office (OOXML)

76.4 KB Created: 2012-12-06 18:59:15 UTC Authoring application: Microsoft Macintosh Excel 12.0000 First seen: 2019-03-10
MD5: e339659c9f89786505024ed8cba15f73 SHA-1: 1b8f5a899c4bcfe1aef70cdcf729d9d9b342ebfa SHA-256: 1db297cf6e3e3288bfdb52f795808d15cb71a0a56e8f3ac34d461bfc97a207cd
256 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the critical heuristic firing for CVE-2017-11882, indicating exploitation of the Equation Editor vulnerability. This vulnerability is commonly used to achieve arbitrary code execution, often leading to the download of additional malware. The presence of an embedded OLE object and the ClamAV detection further support this assessment.

Heuristics 6

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 2 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: d1d74028643cec54b15a90772e4f59ebe232473084658f7ac6cd45c2763f1a13
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.