Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 24a1fdea54d16cfb…

MALICIOUS

Office (OOXML)

356.8 KB Created: 2019-02-11 21:50:00 UTC Authoring application: Microsoft Office Word 12.0000 First seen: 2019-11-20
MD5: a423527226cfc94fd512279988494a72 SHA-1: ef2c2085c33e6ee4d568368ae597862bcc29c55e SHA-256: 24a1fdea54d16cfb8f92e9a729a2c3808f0955cf26dd29d71c68feeeedaad825
182 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is identified as malicious due to the presence of an embedded OLE object, specifically the Equation Editor, which is known to be vulnerable to CVE-2017-11882. This exploit allows for arbitrary code execution when the document is opened. The ClamAV detection further confirms the exploit's presence and malicious nature.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object word/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
    • http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
    • http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: word/embeddings/oleObject1.bin 4608 bytes
SHA-256: cdf908a804d5fd7870b08f8bb1c10e2ff1f2a370585cc22b3ca00bcaebede63c
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.