Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 167b81f2c8ddc989…

MALICIOUS

Office (OOXML) / .XLSX

716.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 5448f1b0f4d4c63e7bce17e82fc2247d SHA-1: 7fc2271736c0794fe2b0fb7e81b1f51a88d94405 SHA-256: 167b81f2c8ddc9893a0211f8585b86c8cd2b6934255033fb4e480885f7f993a0
108 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor. Heuristics indicate that this object carries a payload-like stream with an anomalous header and a significantly larger declared size than the actual stream, strongly suggesting it is designed to exploit a vulnerability. The presence of a hidden sheet further supports the malicious intent by indicating an attempt to conceal malicious content. The document body content appears benign, but the embedded object is the primary indicator of compromise.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/J1hfT.94Fo21n contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1d75d21efe7ad8523c16ed114fcd14e984f27dd8794a3291f8975ea055dbc76d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/J1hfT.94Fo21n 1031168 bytes
ooxml_oleobject_00_ole10native_00.bin
2714e8fadef36b6521f5d02ae7a73b86e6c671960888e152aeca28d3f2f6578e		 ole-package OOXML xl/embeddings/J1hfT.94Fo21n Ole10Native stream: ole10natIVE 1020625 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.