Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 390eed7514135cea…

MALICIOUS

Office (OOXML) / .XLSX

742.4 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-02
MD5: 8cc1ab41a0a49594e2ec54db1e3b0b4a SHA-1: e86d30161bd43884ac4dda0e680ab0fadad8d813 SHA-256: 390eed7514135cead1ef935759e0ed3ccbedbc60805d4ce8b012db1f75a5f6f9
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, identified as an Equation Editor object, which is highly suspicious due to an anomalous Ole10Native stream. This stream's size is significantly larger than its declared header size, indicating it likely contains a packed or obfuscated payload. The presence of this anomalous object strongly suggests the file is designed to exploit vulnerabilities or deliver malware when the embedded object is interacted with.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/C94.VfXcE contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5392cdb8a4bcbedb189cf31318df810de9b8fde872abb9a5aac4e38036821226		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/C94.VfXcE 1030144 bytes
ooxml_oleobject_00_ole10native_00.bin
79917fe0055f5a658d1771719d9e3d4989208b0286f810e1900be0c73e127836		 ole-package OOXML xl/embeddings/C94.VfXcE Ole10Native stream: oLE10NatiVe 1019638 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.