Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3818622d88bc72f9…

MALICIOUS

Office (OOXML) / .XLSX

730.4 KB Created: 2020-06-30 06:04:05 UTC Authoring application: Microsoft Excel 15.0300
MD5: 4e3b78d4582fcc53dd75bd6d272a734e SHA-1: 1c3daa2dc116b06653e6ad4b4bef058bc9effdee SHA-256: 3818622d88bc72f96f0fdff19d1f925049d2e07e32a14b08642bf906fbc17fe9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object identified as an Equation Editor exploit. This type of object is commonly used to deliver malicious payloads by exploiting vulnerabilities in the Equation Editor component. The presence of this exploit strongly suggests an attempt to execute arbitrary code upon opening the document.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wF.7AlVcP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6147383fc3a3b7b7dc67dd0e92e050dbd25aea0e4e4defc857a8e1db0b315a15		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wF.7AlVcP 816128 bytes
ooxml_oleobject_00_ole10native_00.bin
322466855e0f36e611f4b981826e6bdc713069249374b9c88f5968d9add8910b		 ole-package OOXML xl/embeddings/wF.7AlVcP Ole10Native stream: oLE10NatIVe 807226 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.