Office (OOXML) malware analysis — malicious · 615ba5fe566327c2

MALICIOUS

Office (OOXML)

9.2 KB Created: 2017-11-04 20:08:06 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-08-04

MD5: 59c8e589a6e7f2263659e7bae16a02d3 SHA-1: d508280cd904f1c3a0f02b5e652baeb64180b6d4 SHA-256: 615ba5fe566327c2ba3299bb141c19deb88a397e162dde963b09d327b4916461

82 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is identified by ClamAV as Ppt.Exploit.CVE_2017_0199-6336815-3, indicating exploitation of CVE-2017-0199. An external relationship points to the URL http://avast.dongguanmolds.com/svchosl.123, which is likely used to download and execute a secondary payload. The document was likely delivered via spearphishing.

Heuristics 3

ClamAV: Ppt.Exploit.CVE_2017_0199-6336815-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Ppt.Exploit.CVE_2017_0199-6336815-3
External relationship medium OOXML_EXTERNAL_REL

External target in xl/externalLinks/_rels/externalLink1.xml.rels: script:http://avast.dongguanmolds.com/svchosl.123
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://avast.dongguanmolds.com/svchosl.123 OOXML external relationship

Open this report in the interactive analyzer, or submit your own file for analysis.