Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 36cb95a3f8294818…

MALICIOUS

Office (OOXML) / .XLSX

588.7 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 6d622d241526560dcfd39335c249cd6e SHA-1: cc0d6a0f1cab1b41ef8553318b126225f8604f34 SHA-256: 36cb95a3f8294818da3c9561fa21681028e4e878dcb938ca5a43d36c46e31a9e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates the presence of a known exploit delivery mechanism within the document. The embedded OLE object is the primary indicator of malicious intent. While no scripts were extracted, the nature of the embedded object suggests it is designed to execute malicious code upon interaction.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/TxED.wlPMG contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7e25f39281e70af4faeafc3c646f72c3776ae2c129bd655472ac3294007d2023		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/TxED.wlPMG 856064 bytes
ooxml_oleobject_00_ole10native_00.bin
9d4a906e870d2335a2c7d9b6102e164165f384b1ed1e764493f60bcbfc23cdba		 ole-package OOXML xl/embeddings/TxED.wlPMG Ole10Native stream: oLE10natIve 846520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.