Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 2eec9bc2945e7c15…

MALICIOUS

Office (OOXML)

679.8 KB Created: 2021-03-16 05:28:29 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-06-13
MD5: 325a7a7940aef8ecebbb3fe4215fb052 SHA-1: c0038d023d0cfa1eff8f6e97b57de56a73b4b094 SHA-256: 2eec9bc2945e7c159ebf85056cc9315d1c90975566570a493557135f07cc0d5c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object identified as an Equation Editor. This object's Ole10Native stream exhibits anomalies, indicating it likely carries a malicious payload. The presence of an embedded OLE object, particularly an Equation Editor, is a common technique for delivering exploits.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/98pF9pr0.PxN contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/98pF9pr0.PxN 921600 bytes
SHA-256: d61eba0cd99c9fdc3239bf2023652e84b409e76f1be75d3b7a6431e250b03f91
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/98pF9pr0.PxN Ole10Native stream: ole10natIvE 911614 bytes
SHA-256: 02483e740b9cb07bcb41747c1c66be87e6f27b1332e4d0a4f03c51431a7301ff

Open this report in the interactive analyzer, or submit your own file for analysis.