Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0c86c04307310835…

MALICIOUS

Office (OOXML) / .XLSX

645.4 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-08-24
MD5: df8a0551c84725bcafa3f3333db4071f SHA-1: 74979dac3bb3aae3ec3cb25b60968d5b5379f9fb SHA-256: 0c86c04307310835e02630fb05b031ec8b401f59670afb4ea7d9c27516254e95
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The sample is an Excel file containing an embedded OLE object, specifically identified as a Equation Editor object. This object carries a payload-like Ole10Native stream with an anomalous header, indicating it's likely an exploit targeting the Equation Editor vulnerability. The embedded object is the primary indicator of malicious intent, suggesting the file is designed to exploit this known vulnerability to execute a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/QdPpTGN.UbY contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b7b604fc631c34cce219e8beaef9d58c2b2f63a6265851ccc209f85edd246378		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/QdPpTGN.UbY 967168 bytes
ooxml_oleobject_00_ole10native_00.bin
754d749955be3a499c9a082227ebc2bbbf4bc3e9366268f033479690af24cf73		 ole-package OOXML xl/embeddings/QdPpTGN.UbY Ole10Native stream: Ole10NAtIvE 957055 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.