Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 28d556204b62a2d4…

MALICIOUS

Office (OOXML) / .XLSX

637.2 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 056fd1ede77bd9894f88441c8086d84d SHA-1: 86df27f5571f292d6c51d7517c2732595aee3eb9 SHA-256: 28d556204b62a2d4984649857b414501fbe797f95f51e594a64417b3920874aa
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This type of object is frequently used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The presence of this object strongly suggests an attempt to leverage an exploit for initial access or payload delivery.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wYuc.0N1a contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b25a2e09205a89c9eb0c64facf27cd3d31cf864ae0f6c704c03f86d8f8061cba		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wYuc.0N1a 951296 bytes
ooxml_oleobject_00_ole10native_00.bin
0def5c57c5f654100d5d9fc86764f47b78ab8cae8019775dad0325774c17be06		 ole-package OOXML xl/embeddings/wYuc.0N1a Ole10Native stream: olE10NAtiVe 941254 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.