Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1fd0fb42c07edca0…

MALICIOUS

Office (OOXML) / .XLSX

680.7 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 000a7e653966f9e6aad8479fe02b931e SHA-1: 104f89426f6f9830be41810fa0a496b2e1d79ac8 SHA-256: 1fd0fb42c07edca0ac3641617c65bda140234451f5dd3a198b4ee787673f4108
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of arbitrary code. While no specific exploit code or payload was directly extracted, the presence of this object strongly suggests an attempt to leverage an Equation Editor vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/OzP.gVr1m contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ecad354b73be96407b47cd4fedb4f552e6026f926bf613316e59c91d3e3df4be		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/OzP.gVr1m 928256 bytes
ooxml_oleobject_00_ole10native_00.bin
58b30a641e06ff28451ff62147538b0296fe56344dd2df70b73d12d6ab9dc862		 ole-package OOXML xl/embeddings/OzP.gVr1m Ole10Native stream: ole10naTIVE 918269 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.