Xls.Downloader.Trojan-aa0b8f388d8573cd — Office (OOXML) / .XLSX malware analysis

Static analysis result for SHA-256 2f1847af906cc4a6…

MALICIOUS

Office (OOXML) / .XLSX

878.1 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-07-06
MD5: 7f575b1ab7b644022226749caf8a6ee4 SHA-1: f1c2b5bc36389a51cc5cc5aa954ecee5f7ba58e5 SHA-256: 2f1847af906cc4a6aeaccde939a7159fba4c09613b03395ace1cb6999e2648e5
160 Risk Score

Malware Insights

Xls.Downloader.Trojan-aa0b8f388d8573cd · confidence 95%

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Xls.Downloader.Trojan-aa0b8f388d8573cd. Static analysis revealed an embedded OLE object, specifically an Equation Editor, which is known to be exploited for delivering malicious payloads. The anomaly in the Ole10Native stream size suggests it contains the actual malware payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/kG.BEvbjWT contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e10abb7c4b19db7509c7da42a2fcf0caf06fa244f04debe1f31822033ed8a556		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/kG.BEvbjWT 1067520 bytes
ooxml_oleobject_00_ole10native_00.bin
692f0a5dd948f3a4d8d8b62ee205425e52bc5fc8daa2d0784b2446aa278c0978		 ole-package OOXML xl/embeddings/kG.BEvbjWT Ole10Native stream: ole10NaTiVe 1056439 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.