Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 00e0a23a8c9535c0…

MALICIOUS

Office (OOXML) / .XLSX

13.3 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: 817ecb59ef716e826713794fb215add4 SHA-1: 52865450845daedc23980b99f3587f603aa2911a SHA-256: 00e0a23a8c9535c0dc34176236e97215aae4a1d0a897729b632ebf21ee45ce53
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Office document containing an embedded OLE object, specifically an Equation Editor object. Heuristics indicate this object is anomalous and exploits CVE-2018-0798, a vulnerability in Equation Editor. The document body presents a list of items, and a heuristic indicates it uses a lure to enable macros, suggesting it's a dropper designed to execute a second-stage payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5364fc46dd2fda5cb646572f2d4f3c3effb97595134f2b17f9888687df93387f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_00_ole10native_00.bin
7d36a72361f71f1eff49bdf088e2cce5010b94b6b9db56db7e26cf3fcbc066f2		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: olE10NativE 1322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.