Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e063c333fb564290…

MALICIOUS

Office (OOXML)

12.2 KB Created: 2020-02-07 23:21:58 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-08-10
MD5: 4714c9c52db0b6269a6d94a093909463 SHA-1: c94a0ac78742f7bb8520e408ba00408fec3f44ed SHA-256: e063c333fb564290fd30dbe2a5b1fb061da8ae5cfec5902212591866f193e1b7
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical ClamAV heuristics indicate the presence of the CVE-2017-11882 vulnerability, commonly exploited via the Equation Editor OLE object. This suggests the document is designed to exploit this vulnerability for client execution. No document body or script content was available for further analysis.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: f96cff95c1c0935168bf17f0b994c53dac450b1281f8d9d864f64e258c8ef869
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.