Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 22432434cb5e49dc…

MALICIOUS

Office (OOXML) / .XLSX

597.3 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: 92ff34f49a769a7d5c2c87787088265e SHA-1: 97b8b9f7b62ac8d51609a902238e0886334668fb SHA-256: 22432434cb5e49dc9db9b868fa5cb0aba0951fdcb4838d8c252f09f945ce2592
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.003 Windows Command Shell T1566 Phishing T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The file is an Office Open XML (OOXML) document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This type of object is known to be vulnerable to CVE-2017-11882, allowing for arbitrary code execution. The presence of this object strongly suggests the document is designed to exploit this vulnerability to deliver a secondary payload, likely a downloader or dropper.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Ms.eXOUeRE contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3629ab68946a8421a70d98f9505dc58038e3b4d7fdeea979aa37230538d1455e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Ms.eXOUeRE 868352 bytes
ooxml_oleobject_00_ole10native_00.bin
5a9688d80addf01dfb04460340792ccbb52caec396510aeeff9f6170538f19a5		 ole-package OOXML xl/embeddings/Ms.eXOUeRE Ole10Native stream: oLE10NATiVE 858883 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.