Office (OOXML) / .XLSX malware analysis — malicious · 58fd8f10b5f4607f

MALICIOUS

Office (OOXML) / .XLSX

723.9 KB Created: 2020-05-18 06:42:12 UTC Authoring application: Microsoft Excel 15.0300

MD5: 097191c4380a116c0b0a388297436324 SHA-1: 8651e462e46f0efd3e6bb923899c0cad1b53adfc SHA-256: 58fd8f10b5f4607f62cafd630b07c255a791c598015388d76b4291a2f1e40bb6

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The critical heuristic firing for CVE-2017-11882 indicates that this document exploits a known vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the embedded OLE object is processed. The presence of an embedded OLE object further supports this attack vector. The document body content appears to be a fabricated fabric booking chart, likely a lure to entice the user to open the malicious document.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/U2RG7Cv4.d0ua contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `6e11b8fbd4fff186e58eb1a412d7299a53b3b362d1ce9ae1b41b5f4efdac4d93`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/U2RG7Cv4.d0ua	912384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.