Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2fc1b29501e25369…

MALICIOUS

Office (OOXML) / .XLSX

689.9 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-20
MD5: 03afe43c3ea182773181e931f36a2ef9 SHA-1: 3f9392cce4fd803fa767395637409ec8f450e1c9 SHA-256: 2fc1b29501e2536956dbb90677c10a6bceb37b4944d39cf94ebf44f6f644baf0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an XLSX document containing an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. The document body contains what appears to be an invoice with product details and shipping information, potentially serving as a lure to encourage the user to interact with the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/OgUVn.8BDWh contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ade6df7daa8c53805501477eaa13488f3fbcb889bcdedc082f0f2364becab552		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/OgUVn.8BDWh 991744 bytes
ooxml_oleobject_00_ole10native_00.bin
6c2851d95892f933338a9a6ec43c57b429f5245e43976089f4e95c4c04a33253		 ole-package OOXML xl/embeddings/OgUVn.8BDWh Ole10Native stream: OlE10NATivE 981069 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.