Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 4a276d9ebd099d3b…

MALICIOUS

Office (OOXML)

36.0 KB Created: 2019-03-18 20:41:36 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2020-04-06
MD5: 1d67ddadadb4beb888a10f31d2e2ba18 SHA-1: 5ef223c771b286d5ac6a8e54c2986b437e214266 SHA-256: 4a276d9ebd099d3badaf93e66249189181c1505eafece970aac578ad46cf210a
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics and ClamAV detections confirm the presence of the CVE-2017-11882 vulnerability, which is exploited for client execution. The document body appears to be a benign budget template, suggesting the exploit is the primary malicious function.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 179bba7d342c2b34963d00a9dd92623087919b29fc4a294df80305d4f178979a
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4056 bytes
SHA-256: 272937d3a78fa3875cee073b0c04a2f9c9438aaeed043eb1f9b18b8afa283def