ZxxZDownloader Office (OLE) / .XLSX malware analysis — malicious · 2fac16e8d2fef080

MALICIOUS

Office (OLE) / .XLSX

36.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-05-13

MD5: 12f01625fe80e5a6c382d3dcc09847d4 SHA-1: 5c418b5150a2b34043def010fa77d85dec9a28a0 SHA-256: 2fac16e8d2fef080585a39787720fcec97effb67812372b4bcd2ac03e30665d4

160 Risk Score

Malware Insights

ZxxZDownloader · confidence 95%

MITRE ATT&CK

T1204.002 Malicious File

The file is detected as Ole2.Exploit.ZxxZDownloader by ClamAV, indicating it exploits a vulnerability in the Equation Editor OLE object. The XOR-encoded strings suggest obfuscation commonly used by downloaders to hide malicious payloads. The primary attack vector is likely user interaction with the malicious Equation Editor object, leading to the download of a secondary payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
XOR-encoded strings (key 0xFF) critical SC_XOR_ENCODED

Found 7 Windows library/API name(s) XOR-encoded with single-byte key 0xFF: 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'LoadLibraryA', 'ShellExecuteA', 'ShellExecuteA', 'ShellExecuteA'
ClamAV: Ole2.Exploit.ZxxZDownloader-9944376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Ole2.Exploit.ZxxZDownloader-9944376-0

Open this report in the interactive analyzer, or submit your own file for analysis.