Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 16dcdb55dcdc6d1f…

MALICIOUS

Office (OOXML) / .XLSX

1.96 MB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: c458592ca7999b9e0bfc7f2d3c3eba75 SHA-1: 12682191846476377e7d63ced64b8d5ad3762029 SHA-256: 16dcdb55dcdc6d1f3d9609ed148173ab9400313221e20cb74410b6bd22dd3e4e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. The document body presents a list of items, which serves as a lure to encourage users to enable macros or content. This technique is commonly used by malware droppers to bypass security measures and execute malicious code.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/FpR5L.IxdW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c12430dd2c84da5e13f867ea8054ec023a8920d84ff5b0249189188549780ad3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/FpR5L.IxdW 2811392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.