Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1745cf3e05175f1f…

MALICIOUS

Office (OOXML) / .XLSX

16.6 KB Created: 2021-02-12 14:21:03 UTC Authoring application: Microsoft Excel 12.0000
MD5: 5a7c6697f4ca14b5f0618bfa5cca73c4 SHA-1: 6a707198ac0c3bbff3bd2998f4b29fd90562eab2 SHA-256: 1745cf3e05175f1f56df326676e3e8b87c5c0ae7e5e2176e9f8945a2dbdaeeaa
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Excel spreadsheet containing an embedded OLE object, specifically an Equation Editor object. Heuristics indicate this object is anomalous and exploits CVE-2018-0798. The document body presents itself as a proforma invoice, a common lure for malicious documents. The embedded OLE object is the primary indicator of malicious activity, likely serving as the initial execution vector.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
aa9c8a2fa6aa5efeb3abe94ad10e2fa6030cbe9f9d4919b565ba0b79878aaa0b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_00_ole10native_00.bin
ec9115b4d68edbfc6b440db5e6da0f07ac709e96e3031135f6a877d36b16f677		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OlE10NaTive 1497 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.