Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 14ebc34fbd660449…

MALICIOUS

Office (OOXML) / .XLSX

607.3 KB Created: 2023-12-04 17:54:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-06-21
MD5: d5a40b7231564a72c37d7e2af8d1cf2e SHA-1: 2317a3c330d40d76816ea431e1597fb62ca44af0 SHA-256: 14ebc34fbd6604493099d57a783fc23eca9cc6dbacb012a2635d45a77aedaecd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017-11882 indicates the file contains an embedded Equation Editor OLE object designed to exploit this vulnerability. This exploit allows for arbitrary code execution, likely to download and run a secondary payload. The embedded OLE object itself is a key indicator of compromise.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/0ltTCMom.cgb contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d00b1b8c17559a339098db32c34ad3b9db8903d0279a97aad5fc04ae294fe80e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/0ltTCMom.cgb 824832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.