Formbook — Office (OLE) / .XLSX malware analysis

Static analysis result for SHA-256 629cab6f60e0d2f6…

MALICIOUS

Office (OLE) / .XLSX

187.2 KB First seen: 2022-02-23
MD5: 49d50e6d9f2622f1ff083cc5d62c8663 SHA-1: a0fe5bfd7009b25143bc755fb6cd5f705ef37e5f SHA-256: 629cab6f60e0d2f625c3a8c8784407f43f834bce86c1c27ae443e6aed7ec3062
240 Risk Score

Malware Insights

Formbook · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is a password-encrypted OOXML file identified as a malicious downloader by ClamAV, specifically detecting it as Formbook. The presence of an Equation Editor OLE object (OLE_EQUATION_EDITOR) strongly suggests exploitation of a known vulnerability to achieve initial execution. The encryption and malformed structure (OLE_ENCRYPTED_AND_MALFORMED) are common evasion techniques for malicious Office documents. The embedded nature points to a likely spearphishing attachment delivery vector.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Default-encrypted OOXML embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED
    Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
  • ClamAV: Doc.Downloader.Formbook-bc97c1e0c33c3c93-9951465-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Formbook-bc97c1e0c33c3c93-9951465-0
  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.