Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 379976c141ce4148…

MALICIOUS

Office (OOXML) / .XLSX

707.9 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: be3e53786e52912554c0536ffde9c04b SHA-1: 25b72ee9155ee6be735d21f555211d068db1b146 SHA-256: 379976c141ce41489b6228631172ea0e7cb2bc984cdc6cd37606448e9de4a64f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an OOXML file containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The high risk score and unknown exploit score further support the malicious nature of this embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/jJ.GWFwt contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d62e2e3f7facd6848852fa5ed95c1b4f944895053ccdc4e2aca05ea906ce9db4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/jJ.GWFwt 1047552 bytes
ooxml_oleobject_00_ole10native_00.bin
54d51621624dba2c9fbec84bde4775b68c12710c88040a399b8cb12fa67a76cb		 ole-package OOXML xl/embeddings/jJ.GWFwt Ole10Native stream: Ole10naTIVE 1037182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.