Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 01788f4d85df8041…

MALICIOUS

Office (OOXML) / .XLSX

584.6 KB Created: 2023-07-26 19:45:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-07-30
MD5: 03ed8344f8a630172330fa69730e3b09 SHA-1: 1537f23cf019afce2ffd603da89b5a9d2f83852d SHA-256: 01788f4d85df8041b9e1a6c385b53bc783a201461b6c22d592d12e80d247112d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates the presence of a known exploit vector within the Excel file. This object is likely used to exploit a vulnerability, such as CVE-2017-11882, to achieve arbitrary code execution. No document body or scripts were extracted, limiting further analysis of the payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/OW.xI8x contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5694190ca72958f151539459a624d0bca92479c544ab32c7a74082e95b84baf7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/OW.xI8x 869888 bytes
ooxml_oleobject_00_ole10native_00.bin
11418de28fbe4335a69ca15e7433e5e0bddc6011c81b90ee8f880c266c2fa706		 ole-package OOXML xl/embeddings/OW.xI8x Ole10Native stream: OLE10naTIVE 860359 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.