Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 008a169081253ee9…

MALICIOUS

Office (OOXML) / .XLSX

853.9 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-05-30
MD5: 79ae64059f25347680ffad0709469580 SHA-1: 5c2fa241d5e46a531265ea69531aeeedceba1b29 SHA-256: 008a169081253ee95e88053455edcef10c55bf2416b756fee3d5686b97955ba3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be exploitable via vulnerabilities like CVE-2017-11882, allowing for arbitrary code execution. The presence of the Equation Editor OLE object strongly suggests an attempt to exploit this vulnerability for payload delivery.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8c0f9e133560ad40770b1cb5208946f47ceaeea58c6dd3bb3e1af39bd22c8c5f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 976896 bytes
ooxml_oleobject_00_ole10native_00.bin
10db85fa6e448e65adcbf14b1e9b50ae0f8688482f47fd18ab98f9c181f72c03		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 966876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.