Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 110cc4e0f8af5915…

MALICIOUS

Office (OOXML) / .XLSX

1.40 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: aca6994564bc74c8c9a3d854054b65fa SHA-1: 789594e49f7d79465274d65c56c63bd552ad8c60 SHA-256: 110cc4e0f8af591585be900b5ebdf893f012ae74024129e5b18768bc7d9e35a4
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and size discrepancy, strongly suggesting exploitation of a vulnerability like CVE-2017-11882. This technique is commonly used to execute arbitrary code, likely leading to the download and execution of a secondary malicious payload.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ad1a5decdfbf79b63d8558fda1d662b3f846fa2812107eff919a6856a074c98b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 29696 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
ooxml_oleobject_00_ole10native_00.bin
d0e65243df358f9ee7948eadb2c9e55da3344dd9a0ee3fcc11d3188c924dc972		 ole-package OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 28007 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
ooxml_oleobject_01.bin
3a89ee3d738b0d0c426413c281a7d23ca5287e3b1ae1709641af7d1e1dd82ab9		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1535488 bytes
ooxml_oleobject_01_ole10native_00.bin
f7bfcd2cfafe65360c900b06396fb593106749574e01161bc1df7461e65c0804		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1520900 bytes
ooxml_oleobject_02.bin
5cbffe4895f6d0903937a7d35afb9b97cacdb81ee6ca38aab51349d97451f341		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 959488 bytes
ooxml_oleobject_02_ole10native_00.bin
81d607131338dc7587bf2e2132ac46c59c4d2aa12b686a9c50e9ea6641bc0ed6		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: ole10naTIVE 949435 bytes
ooxml_oleobject_03.bin
77e39b23d129be207879f807a728d855d69bdaf0f2bb6378862c894b80443d33		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Word_Macro-Enabled_Document1.docm 121999 bytes
emf_00.emf
072a6a893b25f4848345ae02773b4dd141c43ec598f34f1da6844dabe6ca8a42		 ooxml-emf OOXML EMF part: xl/media/image2.emf 3042216 bytes
emf_01.emf
dd165762e2ea05cd6c095e9e76d39c6edc98cef210be4d0f84b46cc1088c1f7e		 ooxml-emf OOXML EMF part: xl/media/image3.emf 1127736 bytes
emf_02.emf
eb97b4a4d12d2ce3a03daf8e3113b792a3fd077f91933e3d2c71372fdbb7f2c2		 ooxml-emf OOXML EMF part: xl/media/image4.emf 5376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.