Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0b801f372647dee8…

MALICIOUS

Office (OOXML) / .XLSX

757.8 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-02-09
MD5: 4184a54011e2ebc0efd775fd1d71928d SHA-1: e39809010188b08c73e9bacadce6d2fa9269af79 SHA-256: 0b801f372647dee83d3d425117fd5c9ee08bc4cfeba9e7d742b89402bc251e0b
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample contains an embedded OLE object, specifically identified as an Equation Editor object, which carries a payload-like Ole10Native stream. This indicates the exploitation of a vulnerability within the Equation Editor to execute arbitrary code. The unusual size and entropy of the Ole10Native stream further suggest it contains malicious content, likely a second-stage payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xLNr4.mCgcZgu contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f8bf3ea9d18b84d9ccf16e2f8db074d9bfdc4986de60b4fc4d32859839227e5d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xLNr4.mCgcZgu 1107968 bytes
ooxml_oleobject_00_ole10native_00.bin
5c1ab07bf34c3fd4b26b4f821f79f5757ac84964da09828b9d7a1d84eb3ff028		 ole-package OOXML xl/embeddings/xLNr4.mCgcZgu Ole10Native stream: oLe10NaTiVe 1097185 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.