Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0f3bc6b79cf15beb…

MALICIOUS

Office (OOXML) / .XLSX

321.1 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: 43859ebedcf2228a669b956d19cd68fb SHA-1: 0c9cb3296863aa4ea84fa07b8b8e1362ba125c3a SHA-256: 0f3bc6b79cf15beb7b575ebd6ac6b3f07fc73b91129097cbda586e7efe2ebd7c
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object is anomalous and exploits CVE-2018-0798, a vulnerability in Microsoft Equation Editor. This vulnerability allows for the execution of arbitrary code on the victim's machine. The presence of a hidden sheet further suggests an attempt to conceal malicious activity.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/tiff/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
43b2f3ca2b7e39c28a5c8d0752ebf9d230da9623fa2146e5ed22ae397ac18e77		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
ooxml_oleobject_00_ole10native_00.bin
ed5d5cbc0b71d754bc0fe3bea2efc0ea2cebccf2c6f561b70c2245721fc9d593		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OLe10nATIvE 1885 bytes
ooxml_oleobject_01.bin
d3bed62146b479dcc5804bb7236bf5e6b615e871175a5c582c38f4c5b7056b20		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Word_Macro-Enabled_Document1.docm 122533 bytes
emf_00.emf
63bccb441b2fe43212d898f7570882b6734062fcb1b56b9199e2d44d705d96e1		 ooxml-emf OOXML EMF part: xl/media/image4.emf 648132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.