Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fe8ba658f6a5bb10…

MALICIOUS

Office (OOXML)

9.8 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2019-05-16
MD5: 6a407764b81f20efffe09f926e8cf6ce SHA-1: e10fc72052970776f72207f1db0a73d0c09c26a0 SHA-256: fe8ba658f6a5bb105bc6874728b4e85984a1b5743b21def0bdaf67759f8c5937
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristics indicate the exploitation of CVE-2017-11882 through a font record overflow within this object. This exploit is commonly used to achieve arbitrary code execution.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Exploit.CVE_2017_11882-6934206-0
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: 0a9fa231e54f055acf625df1e994c53e210269b39583b268276fff33a3059341
Detection
ClamAV: Doc.Exploit.CVE_2017_11882-6934206-0
Obfuscation or payload: unlikely