Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 14298856718e62c3…

MALICIOUS

Office (OOXML)

709.2 KB Created: 2021-07-19 07:01:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: a540023519a2beaf0df60f5b42890e46 SHA-1: b984ff6cebdd04c175d044a4247e7c8bc0b43e4e SHA-256: 14298856718e62c3cf909e6a44d68d2f015ed28edeaf52ee7df324bb3aeba226
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object carries a payload-like Ole10Native stream with an anomalous size, suggesting it's not standard Equation Editor content. The document body contains invoice-like text, reinforcing the lure. The presence of an embedded OLE object, particularly one with anomalous characteristics, strongly suggests it's being used to deliver a secondary exploit or payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xwjVO4F.uM3K8iB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6a6e8b5b1bf7c86ac8aede535d0fb32babf58f3866211401b35298cdc3140e86		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xwjVO4F.uM3K8iB 947200 bytes
ooxml_oleobject_00_ole10native_00.bin
e2c1c1aeb06956abcd2c92a4b70cb0bf654a5e2db731d4cce907d1a9bf7da90b		 ole-package OOXML xl/embeddings/xwjVO4F.uM3K8iB Ole10Native stream: OlE10NaTive 937265 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.