Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 31d61f0e8fd95c5d…

MALICIOUS

Office (OOXML) / .XLSX

638.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-03-18
MD5: 16c8baa8520965a99fd373227236e160 SHA-1: 61d0aa6df981589b74a613388f5f216bd04daccb SHA-256: 31d61f0e8fd95c5d71954c86a35617a4449d0f872c1be00aa33ffc01518c4310
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1027 Obfuscated Files or Information

The sample is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's being used to exploit a vulnerability. The document body contains what appears to be a purchase order, likely a lure to encourage the user to interact with the embedded object. No scripts were extracted, but the presence of the anomalous Ole10Native stream strongly indicates the exploitation of an Equation Editor vulnerability to deliver a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/JU3uy.1cJ7gy contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0e1f202a9579238d8095e75ac4fba489aa0293e43a1bf25a55ca9f322111b25b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/JU3uy.1cJ7gy 900096 bytes
ooxml_oleobject_00_ole10native_00.bin
6f9ccd5c7c53d5a818a28f247dc31a452de4aea8b00fe5e58eace3d68de07f0e		 ole-package OOXML xl/embeddings/JU3uy.1cJ7gy Ole10Native stream: OlE10natIVE 890838 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.