Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 17e42954cdc65f98…

MALICIOUS

Office (OOXML) / .XLSX

591.5 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 06b246032720680967a4be982c7e3d87 SHA-1: b36fdee511d90ee2d6ebaa0dd75b80bfdf0b54e0 SHA-256: 17e42954cdc65f983603bae8bd483d97f2cdd7438a416cbc05080f1192baa1f9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel document containing an embedded OLE object, identified as an Equation Editor. This object exhibits anomalies in its Ole10Native stream size and entropy, strongly suggesting it contains a malicious payload. The presence of an embedded OLE object, particularly an Equation Editor, is a common technique for exploiting client execution vulnerabilities to deliver malware.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/GyD01y.TTLY8gI contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0fcb1a4422faf643b0c45cffdd048135af681b368792bf20eb8d0a439b29a545		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/GyD01y.TTLY8gI 873984 bytes
ooxml_oleobject_00_ole10native_00.bin
242607bb0bb30ce741e17547785b53708b1780c39044737e15f53d9c94c0ea4e		 ole-package OOXML xl/embeddings/GyD01y.TTLY8gI Ole10Native stream: Ole10NATiVe 864266 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.