Office (OOXML) / .XLSX malware analysis — malicious · 2699cc48ccf7514f

MALICIOUS

Office (OOXML) / .XLSX

1.01 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000

MD5: 97bf00b5290a357505c74ff6febe590a SHA-1: 2cd10d73b6b876e0dd4ca952f33ff79ae7dc5fb7 SHA-256: 2699cc48ccf7514ff4c78405aedf2b0fde9799e98111abb1e85ff1fac59e73d7

110 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1559 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. Heuristics indicate a high likelihood of exploitation for CVE-2018-0798. This suggests the file is designed to exploit this vulnerability to execute a malicious payload, likely leading to further compromise.

Heuristics 5

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.day.com/dam/1.0
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/tiff/1.0/
- http://purl.org/dc/elements/1.1/

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `0e5956145f30622fe3cbc142b61d81d48b942197665c16295e719a01f2759a9b`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	3584 bytes
`ooxml_oleobject_00_ole10native_00.bin` `1c2704b24655595097130ef1474e3faac172305179909b11b7410c4e4e6ba0e8`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OLE10NATivE	1277 bytes
`ooxml_oleobject_01.bin` `5bcfa2d24ee175b1beb682611170d90e8102a5e7c62b498857da7a28cc5705a9`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	11776 bytes
`ooxml_oleobject_01_ole10native_00.bin` `2065a5e0f7398e87f76c05191fd323df059d099ddbb52bd9c3666a365e3efdce`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	9788 bytes
`emf_00.emf` `afddec1c17edfea79da9fb141350fc83aecae3ad4ab871a549f749c58815a2ce`	ooxml-emf	OOXML EMF part: xl/media/image8.emf	648132 bytes
`emf_01.emf` `0a0f2b9982aa51e3ee5e92d3c76177090cf67d425b70862298ae6c1db3085c1b`	ooxml-emf	OOXML EMF part: xl/media/image9.emf	7788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.