Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2521c21939cd1a54…

MALICIOUS

Office (OOXML)

44.8 KB Created: 2021-03-17 11:28:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-07-02
MD5: c2a9f976f6303cbeaf08ff31cf18d8be SHA-1: 5647a2719cb62222bee56d8d25c15bcaddcdc2f8 SHA-256: 2521c21939cd1a54ca68d6169dacee74c01cc89784003d4bc50fda4293637b94
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic 'OOXML_SPREADSHEET_DDE_MALICIOUS' indicates that a Dynamic Data Exchange (DDE) link within the Excel file is configured to execute the command 'cmd /C notepad'. This is a common technique to bypass security controls and launch arbitrary commands, often used to download and execute further malicious stages. The ClamAV detection further corroborates the malicious nature of the file.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.