Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1e0fa42f375431a5…

MALICIOUS

Office (OOXML) / .XLSX

165.0 KB Created: 2019-06-18 09:03:55 UTC Authoring application: Microsoft Excel 16.0300
MD5: ae09c527689511831680c930b7ef00a8 SHA-1: b11f4b754f2a79804abf52a0a6edfb15b556c042 SHA-256: 1e0fa42f375431a546766f47271c84cbaab18ae520aed822c5867cd372923372
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristics indicate the presence of the CVE-2017-11882 vulnerability, which is a known exploit targeting Equation Editor. This exploit allows for arbitrary code execution. No scripts were extracted, but the presence of the exploit is sufficient to classify the attack pattern.

Heuristics 5

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1a5b56a08755ecdef2d325327ce285698a486f972c9a8bda20f60015d71779b2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.