Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 209f6c3620f31417…

MALICIOUS

Office (OOXML) / .XLSX

1.97 MB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: b1530adc374c9c8ac9cf8390a13a99ec SHA-1: b48005b21ef06ea6c197b5a0aa6befe2196d2d8f SHA-256: 209f6c3620f31417b114842e1e201e256cec9a4e718c0294a6cae3f515745723
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. The document also contains a lure to enable macros or editing, which is a common technique for macro-based malware droppers. No specific scripts or further payloads were extracted, limiting the ability to identify a specific family or more detailed attack patterns.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/NV.j1JLBmm contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
65850b070aa369fb0d17aa684d7c253e1ec7ecf27d1ba980a2e82c2c0d812c78		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/NV.j1JLBmm 2827264 bytes
ooxml_oleobject_00_ole10native_00.bin
ce577169253d8fa67e85c5ec76d7d1c4e9e46fa9ef62978b66853109762f24fe		 ole-package OOXML xl/embeddings/NV.j1JLBmm Ole10Native stream: OlE10nATiVe 2802501 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.