Office (OOXML) / .XLSX malware analysis — malicious · 354e568b8006edc6

MALICIOUS

Office (OOXML) / .XLSX

1.97 MB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000

MD5: 40065499d72645ba2e7ebf5867512166 SHA-1: 0c2d6ad470170add64b4cd42a4298e8c0f32a5e5 SHA-256: 354e568b8006edc6b2927252aabcbb1cdfcec69ce1fb231dd2b573caa6eeb25c

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1566.002 Spearphishing Attachment

The sample is an Office document that contains an embedded OLE object, specifically identified as an Equation Editor object. It also includes a lure within the document body, instructing the user to 'enable editing' to view financial information, which is a common tactic to bypass macro security. The presence of the embedded OLE object, combined with the user enablement lure, strongly suggests an attack pattern aimed at executing malicious code via the OLE object.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/WWeIuJbmm.avH contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `93642ac583398be0c54b5262b6f26b9c394d7d6d76122dccc5df74dee272c0fa`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/WWeIuJbmm.avH	2768384 bytes
`ooxml_oleobject_00_ole10native_00.bin` `988e1d0df0d284c04b1da453837eac2a82fb623c8b09ce390184a041869c8f14`	ole-package	OOXML xl/embeddings/WWeIuJbmm.avH Ole10Native stream: OLE10naTiVe	2744175 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.