Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2456c984a0120539…

MALICIOUS

Office (OOXML)

74.7 KB Created: 2016-05-13 07:49:33 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2020-07-24
MD5: 8d3f38c8eddc5e47becce659102ceb3b SHA-1: 439fda53355724dba2cd713e49334a6a928f1026 SHA-256: 2456c984a012053956c889e4bcbc484916cb4933484306f04b7e924d911b0fcb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing an embedded Equation Editor OLE object, which is known to be exploited by CVE-2018-0798. The document body presents a fake purchase order and includes multiple phone numbers, strongly suggesting a callback phishing or tech-support scam. The embedded OLE object likely contains a malicious payload, potentially a script or executable, designed to be triggered upon interaction.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
SHA-256: f57a6392b98ce21480561da86e14f8f44091e8a70f74e2701c30b7f45a3630f0
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: olE10NatiVe 1626 bytes
SHA-256: 2b495720217c8bb114a3bdda29d80f0c59a0af7177716087d3cd465118505406

Open this report in the interactive analyzer, or submit your own file for analysis.