Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 e236dc1d56c10e23…

MALICIOUS

Office (OOXML)

9.9 KB Created: 2021-10-13 04:58:51 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2021-10-23
MD5: 03f7a74928d21341382345e2048c429a SHA-1: fdf284873f0c067fe9f2386940c0a2a5b5093666 SHA-256: e236dc1d56c10e23e866431c958ea8adb3ca9f8d1e38b9fbf8aa9f509bf63400
68 Risk Score

Malware Insights

MITRE ATT&CK
T1218.005 Client Execution: Microsoft Signed HTML Application Executable T1059.003 Command and Scripting Interpreter: Windows Command Shell

The sample contains a malicious DDE link within an Excel spreadsheet, specifically targeting the execution of cmd.exe to launch the calculator. This indicates an attempt to leverage the DDE feature for arbitrary command execution. The presence of a hidden worksheet further suggests an effort to conceal malicious activity.

Heuristics 2

  • Spreadsheet DDE link launches a dangerous command critical OOXML_SPREADSHEET_DDE_MALICIOUS
    Excel workbook contains an externalLinks/ddeLink entry whose ddeService/ddeTopic launches a dangerous executable. This is SpreadsheetML DDE command execution, distinct from WordprocessingML DDE field instructions.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Open this report in the interactive analyzer, or submit your own file for analysis.