Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 a2e0e1c0711cea15…

MALICIOUS

Office (OOXML)

13.1 KB Created: 2015-11-30 12:48:27 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2019-03-10
MD5: 89c5bcedac09ec67952efd7b3f26d155 SHA-1: d46e549fe897d870a5bf54a49e07217c8cdd1a02 SHA-256: a2e0e1c0711cea155cd869580c15964134852683ffa53d6d0212d009341eb3a6
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firings for CVE-2017-11882 and ClamAV detection indicate the file is designed to exploit this known vulnerability. The embedded OLE object, specifically the Equation Editor, is the mechanism for this exploit. The document body content appears to be financial or transactional data, likely a lure to entice the user to open the malicious attachment.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
SHA-256: 1d9b0eb10b0b3b8f158b0c8949d8827a7c22469f50668500074397a500dafb5e
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely