Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2ed3cc7ec042c86d…

MALICIOUS

Office (OOXML)

9.6 KB Created: 2021-05-17 07:29:42 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-23
MD5: 200c8ae65bc1e6c68799923e8e4adac4 SHA-1: 6ecee5da133ce13b5e77059f07ef9944ea836b2c SHA-256: 2ed3cc7ec042c86d29dceb3295a7463511804e970634fe2b9a3ad5fb1212ad23
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office spreadsheet containing a DDE link that executes the 'cmd /C notepad' command. This is a common technique for attackers to bypass security controls and execute arbitrary commands, often used to download and run further malicious stages. The ClamAV detection further supports the malicious nature of this file.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.