Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 22355ce0bfc09283…

MALICIOUS

Office (OOXML) / .XLSX

1.62 MB Created: 2021-09-22 12:07:42 UTC Authoring application: Microsoft Excel 12.0000
MD5: 29ee298412e6d2cb968a883563837cbe SHA-1: 7ed1c5713ba7ff23e36fecdedb0f0c012f6c647b SHA-256: 22355ce0bfc092836a0d62f6cbb54d03aa6fb26091ecd1907922fb9f6e0d0880
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. No document body or scripts were extracted, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/fo5YwKdp.d0A contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e2ec9e7ab254805fe7b5424462404306f6697f0b66789c5dd42015e51ce86fdd		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/fo5YwKdp.d0A 1991168 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.