Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5bd25ff270a1c214…

MALICIOUS

Office (OOXML)

10.4 KB Created: 2021-09-23 15:28:25 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-26
MD5: 8512a781f1569ccf15549d3ae12e21c1 SHA-1: da8c268162430d13e5f54386dd0d3749b959bf37 SHA-256: 5bd25ff270a1c21485a5b2003b27fb7d6766abd5276ec5e7ec436b416e08f361
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel spreadsheet that contains a malicious DDE link. This link is configured to execute the command 'cmd /C notepad', which is a clear indicator of malicious intent to run arbitrary code. The DDE abuse heuristic and ClamAV detection confirm the exploitability of this file. The likely initial access vector is spearphishing attachment.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.