Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 342ebeb8076f7308…

MALICIOUS

Office (OOXML) / .XLSX

631.0 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-08-06
MD5: 8592c2e67a473b5f241804c1e3c51fed SHA-1: aaee1e24591c754a58d9ddff336ea8fddf6d22e6 SHA-256: 342ebeb8076f7308dba7e40c79977474a2df3a22ec1d96aeb1f5f07a8665b006
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel document containing an embedded OLE object, identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream, a common technique for exploiting vulnerabilities or delivering malware. The large declared inner size compared to the stream size suggests potential obfuscation or an attempt to hide malicious content. The document body appears to be a fabricated purchase order, likely a lure.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/g5NtOEKB.Q0Z929 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dd59947f886f78535e5c7398afee91d163e5f9950f7f87de456f6386b06ced4b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/g5NtOEKB.Q0Z929 870400 bytes
ooxml_oleobject_00_ole10native_00.bin
27ec2a46ac6c7a8fc6e7f368401f52b60fcb4a79682d712d92cee841bea194da		 ole-package OOXML xl/embeddings/g5NtOEKB.Q0Z929 Ole10Native stream: OLe10nAtIvE 861049 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.