Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 34d36c0ca4ccc34d…

MALICIOUS

Office (OLE) / .XLSX

557.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-01-18
MD5: 4fa5cc8255e2b850d299634c0c599077 SHA-1: 2dc5b1dafb878948757c736fd4ab3a39a3a0c652 SHA-256: 34d36c0ca4ccc34d58c871b6cd5707b9a4c58a009104e79395c0b5bb2afe03e2
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE_2017_11882_EQUATION_OLE10NATIVE indicates the exploitation of a known vulnerability in Microsoft Equation Editor. This technique is commonly used to execute arbitrary code, likely to download and run a secondary payload. The presence of multiple embedded OLE objects further supports this attack vector.

Heuristics 2

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
0e74f03b42dbfb73650ae77db35efc03f254670fe5c220fbf54bacb45cb41486		 ole-package OLE Ole10Native stream: MBD021E97C6/Ole10Native 50530 bytes
ole10native_01.bin
c6ca11d29d9c63edb6c18e578c7063d9707db08bf4afbe95cdf6a70c6fbbbc38		 ole-package OLE Ole10Native stream: MBD021E97C7/Ole10Native 50542 bytes
ole10native_05.bin
01216baeffa339a0ae8c570b0a71680e28a17027acc777681a4fab0b1adbfc27		 ole-package OLE Ole10Native stream: MBD021E97CB/ole10nATIVE 1201 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.