Office (OOXML) malware analysis — malicious · 45c7ff92a9aa4e01

MALICIOUS

Office (OOXML)

73.1 KB Created: 2021-11-05 22:21:44 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2021-11-22

MD5: 0ca0dfc137344c935f17db07e66175e8 SHA-1: f331c2e7d089cca16efd45c9f04131ed67a7bf00 SHA-256: 45c7ff92a9aa4e01ba20e6428c6b15ff2c80b7bc40a6886f1c9a84b7354fa8e4

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The sample is an Excel document containing a malicious DDE link. This link is configured to execute a command-line that launches PowerShell. The PowerShell command decodes a Base64 string, which is likely a second-stage payload. The document body contains Thai text related to document creation and data entry, which appears to be a lure.

Heuristics 2

ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.