Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 31035fd2a4c34c05…

MALICIOUS

Office (OOXML)

13.5 KB Created: 2015-11-30 12:48:27 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2019-01-31
MD5: fde610ecc3f3f6a8bdd167f36a2a86bb SHA-1: a80542c1fe2501464a647992f6b39bb66bddc4ec SHA-256: 31035fd2a4c34c05e1a0f0003444423664a57ed695c7ab2b8d5afd2831245813
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firings for CVE-2017-11882 and ClamAV detection indicate the file is designed to exploit this known vulnerability. The embedded OLE object, specifically the Equation Editor, is the mechanism for this exploit. The document body content appears to be financial or transactional data, likely a lure to entice the user to open the malicious attachment.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 0c90079a41496df797f21148b62322e7f60e719461961249c83a67927ad98a11
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely