Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 213bf66a9a6d1e41…

MALICIOUS

Office (OOXML) / .XLSX

712.3 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: becae67fa80dfb7431482b18606b2cb7 SHA-1: 2b3894ad7f7b64c3a11579eaa35492bebdde0e2f SHA-256: 213bf66a9a6d1e41b0f86841b1f36b9f7bbcb0e66e29228c84c0bf7a707083de
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an Office Open XML (OOXML) file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This is a known technique for exploiting vulnerabilities like CVE-2017-11882, which allows for arbitrary code execution. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage this vulnerability for initial access. No scripts were extracted, but the OLE object itself is the primary indicator of compromise.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/BalZ.R6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3f04831472f819474f531030471e8ba63210e377b39cfbe592a99e3e03df9e6f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/BalZ.R6 1031680 bytes
ooxml_oleobject_00_ole10native_00.bin
e07d82037bd0f51f46e44e24ef72ebb5c83cc3f5f0e0021a84bfccceea680025		 ole-package OOXML xl/embeddings/BalZ.R6 Ole10Native stream: oLe10NatIve 1021233 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.