Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0f3cb5c6ae2f9e0f…

MALICIOUS

Office (OOXML) / .XLSX

791.2 KB Created: 2020-05-18 06:42:12 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-04-12
MD5: 4c64325f66e78a405fbefaa4a9917877 SHA-1: ad52d0d80bc47daa010cc142807aa4d5ee4fd457 SHA-256: 0f3cb5c6ae2f9e0f0abdb0e5949e53fde0269da3e0fc088688a45a7e6e1f8977
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The embedded object's filename is noted as '9tIP.A3V'. No scripts were extracted, and the document body content is unrelated to the malicious functionality.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9tIP.A3V contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
482f6468dbd76dba158b6e430fb79bc45eaefa623030439f713f2c1d2d82b1d6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9tIP.A3V 1078784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.