Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 07504fcef717e6b7…

MALICIOUS

Office (OLE) / .XLS

33.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-05-15
MD5: 956ad7e87ee4ea4473408d1f2c6fe7ff SHA-1: 8df3955666c8a335c48da39820db0f88e4a6ac27 SHA-256: 07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded Equation Editor OLE object, which is a known vector for exploiting the Equation Editor vulnerability (CVE-2017-11882). The XOR-encoded strings suggest obfuscation, likely to hide malicious code execution. The XOR key 0xFF is identified as a potential indicator.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED
    Found 4 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'LoadLibraryA', 'ShellExecuteA', 'ShellExecuteA'

Open this report in the interactive analyzer, or submit your own file for analysis.