Office (OOXML) malware analysis — malicious · 429cc6328cd27ad9

MALICIOUS

Office (OOXML)

12.8 KB Created: 2018-06-06 06:52:16 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-05-16

MD5: 2b369ad9e281fc409a65f3c5f12a740b SHA-1: 49b5e3f042f9a1e064e40ad209264d20c9f239dd SHA-256: 429cc6328cd27ad991f3f75d9ee47c697d8fccce616d7474d806bfc9624d6feb

122 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains a critical heuristic firing for a malicious DDE link within an OOXML spreadsheet. This link is configured to execute cmd.exe with a command that downloads and executes a payload from the URL http://192.168.0.150/payload.exe. This indicates a likely attack pattern involving spearphishing attachments designed to deliver a secondary payload.

Heuristics 3

ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://192.168.0.150/payload.exe In document text (OOXML body / shared strings)

Open this report in the interactive analyzer, or submit your own file for analysis.