Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 df52965447f2465b…

MALICIOUS

Office (OOXML)

11.3 KB Created: 2020-12-24 13:00:34 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-12-28
MD5: 26cf1cf828f5fcd8aafdeda8d97e04c5 SHA-1: 6832d02b2af00f4cf4bf06a8c17d64a6248ac58b SHA-256: df52965447f2465b79c48b5cfbe77412c5a817e2e2bcb1b18b520f30368b7324
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic 'OOXML_SPREADSHEET_DDE_MALICIOUS' indicates a Dynamic Data Exchange (DDE) link in an Excel file is configured to execute a command. This command uses 'certutil' to download a payload from 'ftp://qazwsx@240520.ddns.net/dba.exe', save it as '%APPDATA%\dba.exe', and then execute it. This indicates the file is a downloader for a second-stage payload.

Heuristics 2

  • ClamAV: Xml.Exploit.DDE_Abuse-9987933-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xml.Exploit.DDE_Abuse-9987933-1
  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.

Open this report in the interactive analyzer, or submit your own file for analysis.