Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1d76f895c5375c2a…

MALICIOUS

Office (OOXML) / .XLSX

605.3 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-02
MD5: 2c39e4fa40271f319aa19583fea60551 SHA-1: fbda38f0f88814f263ad0335543eef5b6ab0c905 SHA-256: 1d76f895c5375c2af7953cb81e9f2a6872b3528c6fe8f8916adfe543cede377a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, strongly suggesting exploitation of a vulnerability like CVE-2017-11882. This technique is commonly used to download and execute a second-stage payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PI.221do7y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
17f07da8bf7acf8bd8cfc4c2d00b4ee8037c4012f246b277e3fbc6f467a48901		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PI.221do7y 898560 bytes
ooxml_oleobject_00_ole10native_00.bin
2e427f8eafa6d8b0a55f1d1fc5022865716b110b9a5f98a0bd87ae6f3c222c6f		 ole-package OOXML xl/embeddings/PI.221do7y Ole10Native stream: OlE10NaTive 889314 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.