Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 d5dc334a8618af67…

MALICIOUS

Office (OOXML)

62.9 KB Created: 2018-09-09 12:27:30 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2019-06-27
MD5: 1d47201c7a2157a622d45791d0fefa68 SHA-1: 49a28cdc636f4580f57996a3dcddc67a1bef8fb5 SHA-256: d5dc334a8618af67044ce3ad4c645835c56c1fb67ae8272f89605e7f12016d36
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature specifically matching the CVE-2017-11882 vulnerability in the Equation Editor OLE object. The document also contains a lure to enable editing, which is a common tactic for macro-based malware. This suggests the primary attack vector is exploitation of the Equation Editor vulnerability to achieve code execution.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
SHA-256: f5f56f90cf3d64cee69d4b0cf718320042b0cb08039ef11e07a5e541c1a59da9
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely