MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The critical heuristic 'OOXML_SPREADSHEET_DDE_MALICIOUS' indicates that a Dynamic Data Exchange (DDE) link within the Excel file is configured to execute the command 'cmd /C notepad'. This is a common technique to bypass security controls and launch arbitrary commands, often used to download and execute further malicious stages. The ClamAV detection further corroborates the malicious nature of the file.
Heuristics 2
-
ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
-
Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUSExcel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
Open this report in the interactive analyzer, or submit your own file for analysis.