Office (OOXML) / .XLSX malware analysis — malicious · 18975be5ce06e4cd

MALICIOUS

Office (OOXML) / .XLSX

2.36 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000

MD5: c2b3fde6752f492c43a176dac3fedc2b SHA-1: 14adc79856c993c912e7752d9bdce7fa19d5f1e0 SHA-256: 18975be5ce06e4cd707226fcfd6d81637a2e49f1a1c2ae656ac6a9a0073ec907

152 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Excel file containing an embedded Equation Editor OLE object. Heuristics indicate this object is anomalous and likely exploits CVE-2018-0798, a vulnerability in Equation Editor that allows for client execution. The embedded object's Ole10Native stream appears to contain a payload, suggesting the file's purpose is to exploit this vulnerability to download and execute a second-stage payload.

Heuristics 7

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY

Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.day.com/dam/1.0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/tiff/1.0/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `a2b96d4ab95b38143d0710e960c587602f5f1c7c99f87ebd4526c738c98129c6`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	1937408 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`ooxml_oleobject_00_ole10native_00.bin` `fc30fdc2b06edd3e343ddb53b890028b396b0f5116ec9368d892a150ddbfbe7b`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OLE10NATIve	1919749 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`ooxml_oleobject_01.bin` `0870c243561853c22a1917cb668b866dc134bac5fa31eda885379540364ecf2f`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Word_Macro-Enabled_Document1.docm	127545 bytes
`emf_00.emf` `d118b44ed968d460fa3b4d6ce009625bc74f2fb65ee91be565aec84d9d3923b5`	ooxml-emf	OOXML EMF part: xl/media/image9.emf	653280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.