Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0ba111aeeda430f6…

MALICIOUS

Office (OOXML) / .XLSX

728.1 KB Created: 2022-05-31 12:17:21 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-06-15
MD5: cd9513b5e3ce6ac13b2f620f33dc40c9 SHA-1: e13781a08b2a46daf728c18af0a5538b60f1eeec SHA-256: 0ba111aeeda430f675c660bf2d87928ea17f89c31fffb54f00924e9f4a032c1a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The presence of an embedded OLE object, identified as an Equation Editor, strongly suggests an attempt to exploit a vulnerability within Microsoft Office. This technique is commonly used to achieve arbitrary code execution, leading to the download or execution of further malicious payloads. The specific OLE object path is provided as an IOC.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/KLWjYg.yHO7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
964e4a599c55202ca9f65612e9f8c3d04c19e76ab36c8b8f574f793ceb41b39f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/KLWjYg.yHO7 1010688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.