Sdrop Office (OOXML) / .XLSM malware analysis — malicious · 29e448915141519e

MALICIOUS

Office (OOXML) / .XLSM

48.6 KB Created: 2020-02-01 18:28:07 UTC Authoring application: Microsoft Excel 12.0000

MD5: ec50226d34bd3987143cb795b4745f75 SHA-1: 9d58e330066e99ee1a5ed1ff2d51fc4e7b40dcb3 SHA-256: 29e448915141519e46649ff36f0d1ab5f0b081b93f07322fd1212155f960c79a

320 Risk Score

Malware Insights

Sdrop · confidence 95%

The XLSM file contains an Auto_Open VBA macro that leverages a known Equation Editor vulnerability (CVE-2017-11882). This vulnerability is used to execute a command-line stager, which appears to be designed to download and execute a second-stage payload. The ClamAV detection name 'Xls.Dropper.Sdrop-9451844-0' further supports the dropper functionality.

Heuristics 8

CVE-2017-11882 — Equation Editor command stager critical CVE likely CVE_2017_11882_EQUATION_NATIVE_CMD

Embedded Equation Editor OLE data contains an invalid Equation Native/MTEF stream with an embedded command stager. This is likely CVE-2017-11882 exploitation because the vulnerable Equation Editor component is reached and the malformed native stream directly carries process-launch bytes.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject3.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
ClamAV: Xls.Dropper.Sdrop-9451844-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Dropper.Sdrop-9451844-0
Auto_Open macro high OLE_VBA_AUTO

Auto_Open macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project inside OOXML medium OOXML_VBA

Document contains vbaProject.bin — VBA macros present
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `c3b6fcb441e7603e45675c3e5d0f02c42184341dfa59b09c3d12cf5fe6ad13e4`	vba-macro	oletools.olevba.extract_macros (decoded VBA source from OOXML)	29244 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
`ooxml_oleobject_00.bin` `393fa23d1b36e1e80240c6e78bdd5ddbeca7fee0c2c8a040583baf73181f3678`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	12800 bytes
`ooxml_oleobject_00_ole10native_00.bin` `8e6f06c7d4f1181c6e1b6fa4fc62d1ab1e6b90bf3fc94f44c7f62ad3b2890b03`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	10213 bytes
`ooxml_oleobject_01.bin` `671c85466cdb8a263da36abdd94134735f4b2a2eff366a56f630d015322c0f7c`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject3.bin	5936 bytes
`ooxml_oleobject_02.bin` `df1b8f667f31a5b25f91257d3dae1cd6691dbcb8bf54e6e915384e1a79f24ec6`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	3584 bytes
`ooxml_oleobject_02_ole10native_00.bin` `56fc5dcef6ff07d4be955fd8a78580ec0f16d8e50dbe9d700b72ba9f09b62e60`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	1281 bytes
`ooxml_oleobject_03.bin` `aed7dcabea1d8b841d80d52894b1622af1fca0dd2978f6ba1820f222ed716f76`	ooxml-ole-object	OOXML embedded OLE part: xl/vbaProject.bin	52736 bytes
`emf_00.emf` `979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	4968 bytes
`emf_01.emf` `4d4d1e7b04c99dcb8e885915068ad6f74cc2333e91580cdae5ccaa00c427247f`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	1536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.