Xls.Downloader.Trojan-aa0b8f388d8573cd Office (OOXML) / .XLSX malware analysis — malicious · 13fb4c73eca2cd9c

MALICIOUS

Office (OOXML) / .XLSX

822.7 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-06-21

MD5: 49919281a4a41a77a43d231a75a01888 SHA-1: 315423661411e784d49fdd01fe5234ba89821a69 SHA-256: 13fb4c73eca2cd9ccd1e7a6b5ee44faf9c15af9768d66e1c6ac196263719a335

120 Risk Score

Malware Insights

Xls.Downloader.Trojan-aa0b8f388d8573cd · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical ClamAV heuristic indicates this is a downloader trojan. The presence of an Equation Editor OLE object strongly suggests exploitation of a known vulnerability in that component to achieve code execution. This likely serves as a delivery mechanism for a secondary payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/9Ds0Fp.O6SLWRV contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `b0f498160c68c94271cfed0e7810287c8fbd157ad43d753f5d374a94ef435620`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/9Ds0Fp.O6SLWRV	936960 bytes
`ooxml_oleobject_00_ole10native_00.bin` `07c11cb6fabca33dd6a2b74df082109861cd0ff9daf544135b6aa1bb71b398eb`	ole-package	OOXML xl/embeddings/9Ds0Fp.O6SLWRV Ole10Native stream: Ole10nativE	926902 bytes
`emf_00.emf` `38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.