Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 21483170e580b7ac…

MALICIOUS

Office (OOXML) / .XLSX

654.5 KB Created: 2023-07-26 19:45:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-08-15
MD5: de215cdbd095d57d1b6a321da4d0d99e SHA-1: 42b8c9ee61af9bc1bcb995842c5ae1849b57e90b SHA-256: 21483170e580b7ac7455583b9c8232e88667cc1da02d3dfa8e443b821bda607d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous size, strongly suggesting exploitation. This technique is commonly used to deliver second-stage malware.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/L7l4.P3tYhn6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b174e981148c71a63a05bd45b73d79fd661ef3fcf2947432f15da1fbc8eaea32		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/L7l4.P3tYhn6 914432 bytes
ooxml_oleobject_00_ole10native_00.bin
340c5a1c0a4e8c1b03d805853f71d6f0a69b9e4dab40d1215a946abfc9b34a68		 ole-package OOXML xl/embeddings/L7l4.P3tYhn6 Ole10Native stream: OlE10NatIVe 905163 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.