Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 24edc0c28acc0625…

MALICIOUS

Office (OOXML) / .XLSX

607.2 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-08-09
MD5: 4c8c732cbd8f6d7a4d88df118ac81ca7 SHA-1: df536a8d3f5b24980b29d8664c51a0714502cff0 SHA-256: 24edc0c28acc0625f0ffc312a8038362a9edf3f055a6c06b50cbd5ee39d124fa
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The sample is an Excel file containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. This object carries a payload-like stream with an anomalous header, indicating it's designed to exploit the Equation Editor vulnerability. ClamAV detection further confirms its malicious nature, classifying it as Win.Malware.Agent. The document body, appearing as a purchase order, serves as a lure to trick the user into opening and interacting with the malicious content.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/qHDeoRt.uFM contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Win.Malware.Agent-10007218-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agent-10007218-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
07b0d3f6c3c1a4a891918264df80cef2444cb2be70b30d5faa931512865c6019		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/qHDeoRt.uFM 897536 bytes
ooxml_oleobject_00_ole10native_00.bin
4cb314777ceb11732da8a446adcc2ac3c9b10fe2b91f109105024aefa06251d8		 ole-package OOXML xl/embeddings/qHDeoRt.uFM Ole10Native stream: OLe10NATIve 888048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.