Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2b0524d75529fcee…

MALICIOUS

Office (OOXML)

676.7 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: f306e0554fc0a77ba75576f917f6fef3 SHA-1: 269fa7ce18e3d336bf665e89b78a4199590e9f5e SHA-256: 2b0524d75529fcee810243d45982bc50ad33f726be8c846b2a87bf44b1f85a66
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file contains an embedded OLE object, specifically identified as an Equation Editor object. This object carries a payload-like Ole10Native stream with an anomalous header, indicating it is likely an exploit. The presence of an embedded OLE object within an Office document strongly suggests it was delivered as a spearphishing attachment, designed to exploit a client execution vulnerability.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/7VN3qvUnb.Nzf2xUl contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5d020faf0788cae09c0e384caba32d56d3a3d8da517f9448b601ecc5ffb38d99		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/7VN3qvUnb.Nzf2xUl 993280 bytes
ooxml_oleobject_00_ole10native_00.bin
eb1e9774587e153b8c38fe83000c919f884926d10af7f207c1f4ebd257c2dbca		 ole-package OOXML xl/embeddings/7VN3qvUnb.Nzf2xUl Ole10Native stream: ole10NaTIve 982839 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.