Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1a5118c5c49081b8…

MALICIOUS

Office (OOXML) / .XLSX

790.8 KB Created: 2020-05-18 06:42:12 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-02-16
MD5: 85cac5dca82037d613efb83f2e158230 SHA-1: 66df67491a09e3656d48f0ca3b6c42da1e451e6b SHA-256: 1a5118c5c49081b809ce2a1b4e509f4934480356a96929cbbcb7020199cfc25a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is a malicious Excel document containing an embedded OLE object. Static analysis identified a critical vulnerability, CVE-2017-11882, related to the Equation Editor component. This indicates the document is designed to exploit this vulnerability upon opening, likely leading to arbitrary code execution. No scripts were extracted, but the presence of the vulnerable OLE object is sufficient evidence for the attack pattern.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/UBHc9VXIu.Ym contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7bd08e2f0e623342e1f26dc3a349f1289f201b3bbfdd3e02a48467a8b4e9f884		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/UBHc9VXIu.Ym 1046016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.