Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1a1d386c0c661cc4…

MALICIOUS

Office (OOXML) / .XLSX

705.6 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: ce37dbab5bc0036e9f5fc8dfaddf98b2 SHA-1: 8d4c4184422acf6330927edc861437ba0c4fc3de SHA-256: 1a1d386c0c661cc471bf52b315c9827a9e3959d9bff424dd306be9f58ef6b136
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in Microsoft Office applications. The embedded object's filename is also listed as an IOC. No scripts were extracted, and the document body content appears to be tabular data, offering no further clues to the specific lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wPk1zcGA.WoxBWg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dbf622de84a1e7be04a945d72914ac7e3be8aa6b1c818d72cd23ffd33c5a6001		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wPk1zcGA.WoxBWg 959488 bytes
ooxml_oleobject_00_ole10native_00.bin
a31329c44506079d02c077c6fa3f15e78bc43081042c5bc3e452b72b2180af70		 ole-package OOXML xl/embeddings/wPk1zcGA.WoxBWg Ole10Native stream: Ole10nATive 949410 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.