Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1753a38918b445b3…

MALICIOUS

Office (OOXML) / .XLSX

642.7 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-14
MD5: 82d471c986172985b7fd2c8d28b4af55 SHA-1: 4fafd95f8149e94f8e2c1c0b705a156a30ea5a4a SHA-256: 1753a38918b445b343f7f5494c51cc33ef451bbe7e5f545f78748d2df7fb8c49
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and size, strongly suggesting it's a dropper for malicious content. The document body itself contains what appears to be a fabricated invoice or product list, likely serving as a lure to encourage interaction with the embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/E9.ej contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
07232ba6598c3d8b343a1cc5f3267e7b905e5e7ed6baefa30bb2e9ecefe6f6b5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/E9.ej 873472 bytes
ooxml_oleobject_00_ole10native_00.bin
20645f7451841a2e4a0050d5274cc3d331539a129bf08937395ba44c2c2a18da		 ole-package OOXML xl/embeddings/E9.ej Ole10Native stream: Ole10NaTiVE 863889 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.