Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1cca3db389286709…

MALICIOUS

Office (OOXML) / .XLSX

600.0 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: ce084fa3fbabe048d2e2463a4d94ca36 SHA-1: 4d542c6c92549dea61813779b7072f6db7958805 SHA-256: 1cca3db389286709256aa5939cba085cf662ed47e8341274976047581ce50886
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The presence of this object strongly suggests a malicious intent, likely to deliver a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ecYy0CB.ZGw contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1a1998abfc5213f00997d8cfd43a0b2d4bcf153f6a513e37b71495c28f9e60a7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ecYy0CB.ZGw 886784 bytes
ooxml_oleobject_00_ole10native_00.bin
208e374ae82aee9f7cf4b215d2d72e2d8531833d18699d1db00350a86308eb19		 ole-package OOXML xl/embeddings/ecYy0CB.ZGw Ole10Native stream: Ole10NAtive 877370 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.