Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 12b177cacaeb0ae8…

MALICIOUS

Office (OOXML) / .XLSX

718.9 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: a20039173917fad021dcd3e043411e5d SHA-1: d646a07aa9837cdc2a2a0b857fd16e8c871e1538 SHA-256: 12b177cacaeb0ae87dd92b4c547b4d7eaaaaac7f2e31e8e1200c4c31c6abc656
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object identified as an Equation Editor exploit. This type of object is commonly used to deliver and execute malicious code. The presence of the Equation Editor OLE object strongly suggests an attempt to exploit a vulnerability for client-side execution.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6GVXOOMQ.9oBF4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a77344d6dba6e687e1d08038591cf4ae80f7a6449682036e31a238903959c455		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6GVXOOMQ.9oBF4 985088 bytes
ooxml_oleobject_00_ole10native_00.bin
9be1b83aeb23889a225cf739e6cee75435c757d920d085aceeaec448e752c082		 ole-package OOXML xl/embeddings/6GVXOOMQ.9oBF4 Ole10Native stream: oLe10nATiVe 974499 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.