Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ee9f7ab349d3e1f0…

MALICIOUS

Office (OOXML)

151.9 KB Created: 2018-10-13 21:56:52 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2019-01-25
MD5: ddd1e8d406dc4d4d1d76e862a4615d1c SHA-1: f17cc717f4158f2640f37ae1b21afcb8bbf90f73 SHA-256: ee9f7ab349d3e1f0457b3b4990c6da2b90b1d90e4b9212d41ad51ed66f200268
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious due to the presence of an Equation Editor OLE object, which is a known exploit vector for CVE-2017-11882. The document also contains a lure to enable macros or editing, a common tactic for malware droppers. The ClamAV detection confirms the exploitation of CVE-2017-11882, indicating the file's purpose is to execute malicious code upon user interaction.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 8acadc4e87b790b9f97a68e22632c0d1831d8a26e92c7a115ebd595b776c0f3e
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely