Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 589a459641de356b…

MALICIOUS

Office (OOXML)

9.6 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-05-16
MD5: b955456c70301ab40dfe496093900d34 SHA-1: 6a7cae0bdff072279a595f253c8e9b70ba194426 SHA-256: 589a459641de356b46054f98a877d90f2961c589735fb712670199ed4f5ab09a
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristics indicate the presence of the CVE-2017-11882 vulnerability within an embedded Equation Editor OLE object. This vulnerability is known to allow for arbitrary code execution when the document is opened. The file is classified as malicious due to this exploit.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 2bee3462ceb33f1083282c0c4fb7cbd1014ad8c9f8f47f2a2eb58afd2078672c
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely