Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 064261a6b45b1149…

MALICIOUS

Office (OOXML)

569.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2020-05-25
MD5: 12a1dcc42104a441ea3be1ddcc1bc380 SHA-1: 6a46878e1ea2a64a3b5eeb6eb8f881cac779cf0b SHA-256: 064261a6b45b11499c67f7ec54fc16224d4426fe3d7a095b9ddaf9bf30795da1
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML file containing an embedded OLE object, identified as an Equation Editor object. This is a common technique used to exploit vulnerabilities and execute arbitrary code. The embedded object itself is a strong indicator of malicious intent, likely serving as a dropper for a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 180224 bytes
SHA-256: 79d5739390c7391d5256c4d702c9c49375bcabea28099f1a0b17abdf82f3ba6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1587712 bytes
SHA-256: 9883b3774d1c722dff4082a1c6f530051fa8cedbf364547b5705b308d6f7d051
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1572612 bytes
SHA-256: d85009cb0f9a593892012a4df8d74182d2ae8fe27d01b2e6029a2b2c0c8b8d19
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 3145608 bytes
SHA-256: 78c2466c6539c3c9aecc57dd4b2ea6303724eeaef9925fc568c6da8fc6efde19

Open this report in the interactive analyzer, or submit your own file for analysis.