Office (OOXML) malware analysis — malicious · ab6ab02c3aa9fa7f

MALICIOUS

Office (OOXML)

9.3 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-05-29

MD5: 043d916e056c312066d67bd4cd384a13 SHA-1: 3fae9272c662a7f06f73b22d55d5b4fb32766815 SHA-256: ab6ab02c3aa9fa7f58c7b1438b23ee20fea834286ab5e68331ff20605865e110

60 Risk Score

Malware Insights

MITRE ATT&CK

T1218.005 Client Execution: Signed Binary Proxy Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample is an OOXML spreadsheet that contains a malicious DDE link. This link is configured to execute the command 'cmd /C notepad', which is a common technique for launching arbitrary commands. The DDE exploit is a known method for initial execution, often leading to further payload delivery.

Heuristics 1

Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS

Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.