Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2263dfcc53f99feb…

MALICIOUS

Office (OOXML) / .XLSX

656.0 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-09-28
MD5: 2005ee2dd249595725c3ea0389f303bf SHA-1: 100c86f353491aeb43e18aae0466701009895ac3 SHA-256: 2263dfcc53f99feb7f0f88f8a3fe3174eb899159399ac989fc4f00684e716da0
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The file contains an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous size and entropy, strongly suggesting it's used to exploit vulnerabilities. The presence of this object points to an attack pattern leveraging the Equation Editor to deliver a secondary malicious payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xDWkNU.bAO8 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8d45c41406ca6efbd2cab362f93b42b4b72f615519119227b2b23185ddbcee30		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xDWkNU.bAO8 977408 bytes
ooxml_oleobject_00_ole10native_00.bin
edd77a1ace971e98bf940fd19795613f745028ac799f73ed714cee86b1817d39		 ole-package OOXML xl/embeddings/xDWkNU.bAO8 Ole10Native stream: Ole10NATivE 967598 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.