Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2aa5579969a6f335…

MALICIOUS

Office (OOXML) / .XLSX

604.3 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 7cdc910bb6e083fcbed96c4e60a7f0e7 SHA-1: f5e6a7c23661f7a33453c78735daa60ba410784e SHA-256: 2aa5579969a6f33527eedbcb9bdc5983edb232928f02457a11974f1ac25131bd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The sample is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded OLE object is the primary indicator of this attack vector. No scripts were extracted, and the document body contains tabular data unrelated to the malicious functionality.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/XGt5zhXd.94Y2h contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
925b94267115218e9db0470a55fa925f4f12873e766c7a163fd0aa19bb0874e2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/XGt5zhXd.94Y2h 908288 bytes
ooxml_oleobject_00_ole10native_00.bin
605a0888ccb9299906a09cb7b697323dc3ecc193b1ab35c53bf9cb319fa62e6d		 ole-package OOXML xl/embeddings/XGt5zhXd.94Y2h Ole10Native stream: oLE10nATive 898859 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.