Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2b0681eec91045b0…

MALICIOUS

Office (OOXML) / .XLSX

606.3 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: d69c62e9c312fbf87bc2d5f4ad115552 SHA-1: 7a302dda0396758179aa23052d6ff83e1b51cd36 SHA-256: 2b0681eec91045b0b15e026abaecbf187804c0023dd1eca864cceb9db5e75829
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to deliver exploits, such as CVE-2017-11882, to compromise the user's system. No further executable content or network indicators were extracted from this sample.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ACo2.9a7Oe contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9cab48364a7d37f1663f8142bf91674593eff1470cca7c336cf9941c1cf18568		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ACo2.9a7Oe 906752 bytes
ooxml_oleobject_00_ole10native_00.bin
8167353d413b4ede32695e8beb2fc2ca76f9c6bc2c9c5bbf2f97988f935b0ad1		 ole-package OOXML xl/embeddings/ACo2.9a7Oe Ole10Native stream: olE10nAtive 897322 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.