Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 45ab15dcbb6e81b3…

MALICIOUS

Office (OOXML)

15.9 KB Created: 2012-07-05 14:49:17 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2015-09-30
MD5: a2781012cbe42a05ca97e42746eae3b0 SHA-1: 4be3cbdca60e55b1e7cfa31af0c906f68d7391c0 SHA-256: 45ab15dcbb6e81b3a564f33923f2fa8beed5e2a6f336a6bdfbf8090805de11ec
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The OOXML file contains an embedded OLE object which, according to heuristics, drops an auto-executable payload. This payload was identified by ClamAV as the EICAR test signature, confirming its malicious nature. The embedded OLE object is the primary indicator of malicious activity, suggesting an attempt to deliver a malicious executable to the user.

Heuristics 3

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 2560 bytes
SHA-256: 4ded53410ba947573d4dcaf4aec4da365ccec6b6e4bd55c6fab558d603e49de7
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 317 bytes
SHA-256: 2fd88ddf92804d289db4fdf341738339cda0e9453ae5ed04ca68e1e5d583b5dd
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes
SHA-256: 8e389114f1100f1fd7bc2b2d7ddb7ad9e00c220d89bfceb40e371ed32caed6df

Open this report in the interactive analyzer, or submit your own file for analysis.