Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5dfcd69077c895ca…

MALICIOUS

Office (OOXML)

287.4 KB Created: 2015-11-20 02:18:31 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2018-10-07
MD5: 5e7685b19a961284c4694bbcff47eaf5 SHA-1: 52c42360ee9d08291ad0c226779ab4047064cd01 SHA-256: 5dfcd69077c895ca0c3b62cb22c86b0c2bfad58857a8ebfeaf4f646b6e98730f
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate an anomaly consistent with CVE-2018-0798, a vulnerability in Equation Editor that allows for arbitrary code execution. The external relationship points to a local file path, suggesting it may have been part of a phishing campaign.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00011A25  90                nop
    00011A26  90                nop
    00011A27  90                nop
    00011A28  90                nop
    00011A29  90                nop
    00011A2A  90                nop
    00011A2B  90                nop
    00011A2C  90                nop
    00011A2D  90                nop
    00011A2E  90                nop
    00011A2F  90                nop
    00011A30  90                nop
    00011A31  90                nop
    00011A32  90                nop
    00011A33  90                nop
    00011A34  90                nop
    00011A35  90                nop
    00011A36  90                nop
    00011A37  90                nop
    00011A38  90                nop
    00011A39  90                nop
    00011A3A  90                nop
    00011A3B  90                nop
    00011A3C  90                nop
    00011A3D  90                nop
    00011A3E  90                nop
    00011A3F  90                nop
    00011A40  90                nop
    00011A41  90                nop
    00011A42  90                nop
    00011A43  90                nop
    00011A44  90                nop
    00011A45  90                nop
    00011A46  90                nop
    00011A47  90                nop
    00011A48  90                nop
    00011A49  90                nop
    00011A4A  90                nop
    00011A4B  90                nop
    00011A4C  90                nop
    00011A4D  90                nop
    00011A4E  90                nop
    00011A4F  90                nop
    00011A50  90                nop
    00011A51  90                nop
    00011A52  90                nop
    00011A53  90                nop
    00011A54  90                nop
    00011A55  90                nop
    00011A56  90                nop
    00011A57  90                nop
    00011A58  90                nop
    00011A59  90                nop
    00011A5A  90                nop
    00011A5B  90                nop
    00011A5C  90                nop
    00011A5D  90                nop
    00011A5E  90                nop
    00011A5F  90                nop
    00011A60  90                nop
    00011A61  90                nop
    00011A62  90                nop
    00011A63  90                nop
    00011A64  90                nop
    00011A65  90                nop
    00011A66  90                nop
    00011A67  90                nop
    00011A68  90                nop
    00011A69  90                nop
    00011A6A  90                nop
    00011A6B  90                nop
    00011A6C  90                nop
    00011A6D  90                nop
    00011A6E  90                nop
    00011A6F  90                nop
    00011A70  90                nop
    00011A71  90                nop
    00011A72  90                nop
    00011A73  90                nop
    00011A74  90                nop
    00011A75  90                nop
    00011A76  90                nop
    00011A77  90                nop
    00011A78  90                nop
    00011A79  90                nop
    00011A7A  90                nop
    00011A7B  90                nop
    00011A7C  90                nop
    00011A7D  90                nop
    00011A7E  90                nop
    00011A7F  90                nop
    00011A80  90                nop
    00011A81  90                nop
    00011A82  90                nop
    00011A83  90                nop
    00011A84  90                nop
  • External relationship high OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink2.xml.rels: file:///\\이은진\자료방 (d)\Documents and Settings\마나텍스\바탕 화면\세금계산서-신진텍스타일\세금계산서발행.xls
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
SHA-256: 2a0f89942454938c11b1d02ba99e57e79898e0b9e2d38e15d8a2f0ff464806e6
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 2125 bytes
SHA-256: 69c67b6c782bbc82911f85a9f867554502aeca068e3163787a1b8ef1184ec67f