Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0b07cb20b22f00e9…

MALICIOUS

Office (OOXML) / .XLSX

626.5 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-09-28
MD5: c234482fb1ec97a2495da2f922459422 SHA-1: f1c58647f0829e5fe30c21873fad470de3d570a1 SHA-256: 0b07cb20b22f00e9a107082c438fcfa50ee435a34487991f2c01096975a8fe03
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object identified as an Equation Editor. This technique is commonly used to exploit vulnerabilities or deliver second-stage malware. No document body or script content was available for further analysis, limiting the ability to determine the specific payload or delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/2b.9Y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bf66c067dafde5050ffb81260dbba142b45de5a3e05de867fef387f755204279		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/2b.9Y 875008 bytes
ooxml_oleobject_00_ole10native_00.bin
1a2a4b228d1a3788906a18061c40b4cd026d7b6fd12ceb31418b3a15947a88fc		 ole-package OOXML xl/embeddings/2b.9Y Ole10Native stream: ole10NatIvE 865482 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.