Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 42fab25114be31de…

MALICIOUS

Office (OOXML)

9.8 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-01-11
MD5: 1a2dab1270231ca7f23d98d7b22c3593 SHA-1: 30b67089a8178ab894dc0dcf1651783fa8ab4ae4 SHA-256: 42fab25114be31de7137ac7ea909e31ef5dd2de209b79be174a88c82c61776ac
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious due to the presence of an embedded OLE object, specifically the Equation Editor, which is known to be vulnerable to CVE-2017-11882. This vulnerability allows for the execution of arbitrary code upon opening the document. The ClamAV detection further confirms the malicious nature, flagging it as Doc.Exploit.CVE_2017_11882-6934206-0. The likely attack vector is spearphishing attachment.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 2e95c4b71aa22e410c4c04e3940951f509a02f1ce41fe07079e889471481c0a1
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely