Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 01718967fc83864d…

MALICIOUS

Office (OOXML)

745.5 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: fa90fd9f55ee454e5b5eff24ad4bf066 SHA-1: 6296011b0dec0bc411c2c82673099e9195c53914 SHA-256: 01718967fc83864dd46db64ee4699ce54d2cd5c139cb19e1983740ede05d8961
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be exploited to execute arbitrary code. The presence of this object strongly suggests an attempt to exploit a client execution vulnerability, likely delivered via spearphishing.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/vKkn7Pfd.HNsPTBV contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
94d3ad708005f0339e597e3da44f8a19c95118c7962f32f2feb5a9473c90f7e1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/vKkn7Pfd.HNsPTBV 1047040 bytes
ooxml_oleobject_00_ole10native_00.bin
cf14249cd6ee27770372c7995d6735141b71ab4566ffed2897d22bc253f10c13		 ole-package OOXML xl/embeddings/vKkn7Pfd.HNsPTBV Ole10Native stream: olE10naTiVe 1036365 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.