Office (OOXML) malware analysis — malicious · 5dfcd69077c895ca

MALICIOUS

Office (OOXML)

287.4 KB Created: 2015-11-20 02:18:31 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2018-10-07

MD5: 5e7685b19a961284c4694bbcff47eaf5 SHA-1: 52c42360ee9d08291ad0c226779ab4047064cd01 SHA-256: 5dfcd69077c895ca0c3b62cb22c86b0c2bfad58857a8ebfeaf4f646b6e98730f

180 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate an anomaly consistent with CVE-2018-0798, a vulnerability in Equation Editor that allows for arbitrary code execution. The external relationship points to a local file path, suggesting it may have been part of a phishing campaign.

Heuristics 5

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.

NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes

Disassembly

Attempted x86 opcode disassembly

00011A25  90                nop
00011A26  90                nop
00011A27  90                nop
00011A28  90                nop
00011A29  90                nop
00011A2A  90                nop
00011A2B  90                nop
00011A2C  90                nop
00011A2D  90                nop
00011A2E  90                nop
00011A2F  90                nop
00011A30  90                nop
00011A31  90                nop
00011A32  90                nop
00011A33  90                nop
00011A34  90                nop
00011A35  90                nop
00011A36  90                nop
00011A37  90                nop
00011A38  90                nop
00011A39  90                nop
00011A3A  90                nop
00011A3B  90                nop
00011A3C  90                nop
00011A3D  90                nop
00011A3E  90                nop
00011A3F  90                nop
00011A40  90                nop
00011A41  90                nop
00011A42  90                nop
00011A43  90                nop
00011A44  90                nop
00011A45  90                nop
00011A46  90                nop
00011A47  90                nop
00011A48  90                nop
00011A49  90                nop
00011A4A  90                nop
00011A4B  90                nop
00011A4C  90                nop
00011A4D  90                nop
00011A4E  90                nop
00011A4F  90                nop
00011A50  90                nop
00011A51  90                nop
00011A52  90                nop
00011A53  90                nop
00011A54  90                nop
00011A55  90                nop
00011A56  90                nop
00011A57  90                nop
00011A58  90                nop
00011A59  90                nop
00011A5A  90                nop
00011A5B  90                nop
00011A5C  90                nop
00011A5D  90                nop
00011A5E  90                nop
00011A5F  90                nop
00011A60  90                nop
00011A61  90                nop
00011A62  90                nop
00011A63  90                nop
00011A64  90                nop
00011A65  90                nop
00011A66  90                nop
00011A67  90                nop
00011A68  90                nop
00011A69  90                nop
00011A6A  90                nop
00011A6B  90                nop
00011A6C  90                nop
00011A6D  90                nop
00011A6E  90                nop
00011A6F  90                nop
00011A70  90                nop
00011A71  90                nop
00011A72  90                nop
00011A73  90                nop
00011A74  90                nop
00011A75  90                nop
00011A76  90                nop
00011A77  90                nop
00011A78  90                nop
00011A79  90                nop
00011A7A  90                nop
00011A7B  90                nop
00011A7C  90                nop
00011A7D  90                nop
00011A7E  90                nop
00011A7F  90                nop
00011A80  90                nop
00011A81  90                nop
00011A82  90                nop
00011A83  90                nop
00011A84  90                nop

External relationship high OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///\\이은진\자료방 (d)\Documents and Settings\마나텍스\바탕 화면\세금계산서-신진텍스타일\세금계산서발행.xls
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	4608 bytes
SHA-256: `2a0f89942454938c11b1d02ba99e57e79898e0b9e2d38e15d8a2f0ff464806e6`
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native	2125 bytes
SHA-256: `69c67b6c782bbc82911f85a9f867554502aeca068e3163787a1b8ef1184ec67f`

Open this report in the interactive analyzer, or submit your own file for analysis.