Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 30658159746bcb82…

MALICIOUS

Office (OOXML) / .XLSX

589.5 KB Created: 2023-10-02 07:50:25 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-10-02
MD5: 038ea73ae3218e2bb8ea0ae9d66b1d18 SHA-1: 166ea5a5fe96dcaeaad52eb38ad91a5d58aa96ce SHA-256: 30658159746bcb8266a0f16e6b433300b7a47f413bca2dd162c66d77596f40a7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. This object carries a payload-like Ole10Native stream, indicating it's designed to exploit a known vulnerability in the Equation Editor component to execute malicious code. The presence of this object strongly suggests an attack pattern focused on exploiting this specific vulnerability for initial compromise.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/nvwu.Yq contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c04519d053c9c63fc6c91088bf8b887abc39e9bb05cdbea7e582b6392b52c4e8		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/nvwu.Yq 812544 bytes
ooxml_oleobject_00_ole10native_00.bin
85ab8576a47d615c02ce07ad37176909a97001b6e1ca00c2e55126b7243a873a		 ole-package OOXML xl/embeddings/nvwu.Yq Ole10Native stream: Ole10naTIvE 803804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.