Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1c50888a51f41d9b…

MALICIOUS

Office (OOXML) / .XLSX

617.7 KB Created: 2022-07-21 17:04:09 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-07-18
MD5: a0cacf9006231166df5019cf126b0de8 SHA-1: bf13add3c69f8fd7359b54b282631df9b2c72804 SHA-256: 1c50888a51f41d9baa927cbdfd6a517f9473793a134fe842428eecbd7be5fcbc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Office document (XLSX) that contains an embedded OLE object, specifically an Equation Editor object. This object has an anomalous Ole10Native stream, indicating it likely carries a payload. The heuristic 'SE_ENABLE_LURE' confirms the document instructs the user to enable macros, a common tactic for malware droppers. The obfuscated document body content further supports the intent to conceal malicious activity.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/YeDd.PJSR contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3e4a02c2c1fc22c36992a77bd3a001766b06d086e44ad0d0762391b8f2b9c71f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/YeDd.PJSR 895488 bytes
ooxml_oleobject_00_ole10native_00.bin
0673746b1cf945ba780ee98133a99093f384ad325f6fb585afd7ccd2c81f2fc6		 ole-package OOXML xl/embeddings/YeDd.PJSR Ole10Native stream: OLe10natIve 886124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.