Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 8969c56e0d541e0e…

MALICIOUS

Office (OOXML)

7.4 KB Created: 2017-11-04 20:08:06 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-11-20
MD5: 1b4f204c668d78e2498a117d40ef3e5f SHA-1: 5bbde2e89d31c803929002bc800a399f61b6dc24 SHA-256: 8969c56e0d541e0ea42021d4165505474c4dd99605926ab3c391df02af2d919e
82 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical ClamAV heuristic identifies the file as Ppt.Exploit.CVE_2017_0199-6336815-3, indicating exploitation of CVE-2017-0199. An external relationship points to the URL http://a.pomfe.co/hnwila.xml, likely hosting a secondary payload. This suggests the document is a malicious attachment designed to exploit a client vulnerability and execute further malicious code.

Heuristics 3

  • ClamAV: Ppt.Exploit.CVE_2017_0199-6336815-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Ppt.Exploit.CVE_2017_0199-6336815-3
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: script:http://a.pomfe.co/hnwila.xml
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://a.pomfe.co/hnwila.xml OOXML external relationship