Office (OOXML) malware analysis — malicious · 39716d3bdd8fa9cd

MALICIOUS

Office (OOXML)

1.53 MB Created: 2021-04-28 21:02:36 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-06-13

MD5: d63c75757e499285d348e344040f190c SHA-1: 7d920d2bc7aa5bff00019d96e315c024c418a5fe SHA-256: 39716d3bdd8fa9cda707286570731e8165ea97685dbbd6239cc6c5468e8a035d

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OOXML document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate anomalies within the Equation Editor's native stream, strongly suggesting exploitation of CVE-2018-0798. This vulnerability allows for the execution of arbitrary code, likely leading to the download and execution of a secondary payload.

Heuristics 6

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/c0G6qHgJ.aO contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY

Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.

NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Disassembly

Attempted x86 opcode disassembly

000DFD0C  40                inc eax
000DFD0D  40                inc eax
000DFD0E  40                inc eax
000DFD0F  40                inc eax
000DFD10  40                inc eax
000DFD11  40                inc eax
000DFD12  40                inc eax
000DFD13  40                inc eax
000DFD14  40                inc eax
000DFD15  40                inc eax
000DFD16  40                inc eax
000DFD17  40                inc eax
000DFD18  40                inc eax
000DFD19  40                inc eax
000DFD1A  40                inc eax
000DFD1B  40                inc eax
000DFD1C  40                inc eax
000DFD1D  40                inc eax
000DFD1E  40                inc eax
000DFD1F  40                inc eax
000DFD20  40                inc eax
000DFD21  40                inc eax
000DFD22  40                inc eax
000DFD23  40                inc eax
000DFD24  40                inc eax
000DFD25  40                inc eax
000DFD26  40                inc eax
000DFD27  40                inc eax
000DFD28  40                inc eax
000DFD29  40                inc eax
000DFD2A  40                inc eax
000DFD2B  40                inc eax
000DFD2C  40                inc eax
000DFD2D  40                inc eax
000DFD2E  40                inc eax
000DFD2F  40                inc eax
000DFD30  40                inc eax
000DFD31  40                inc eax
000DFD32  40                inc eax
000DFD33  40                inc eax
000DFD34  40                inc eax
000DFD35  40                inc eax
000DFD36  40                inc eax
000DFD37  40                inc eax
000DFD38  40                inc eax
000DFD39  40                inc eax
000DFD3A  40                inc eax
000DFD3B  40                inc eax
000DFD3C  40                inc eax
000DFD3D  40                inc eax
000DFD3E  40                inc eax
000DFD3F  40                inc eax
000DFD40  40                inc eax
000DFD41  40                inc eax
000DFD42  40                inc eax
000DFD43  40                inc eax
000DFD44  40                inc eax
000DFD45  40                inc eax
000DFD46  40                inc eax
000DFD47  40                inc eax
000DFD48  40                inc eax
000DFD49  40                inc eax
000DFD4A  40                inc eax
000DFD4B  40                inc eax
000DFD4C  40                inc eax
000DFD4D  40                inc eax
000DFD4E  40                inc eax
000DFD4F  40                inc eax
000DFD50  40                inc eax
000DFD51  40                inc eax
000DFD52  40                inc eax
000DFD53  40                inc eax
000DFD54  40                inc eax
000DFD55  40                inc eax
000DFD56  40                inc eax
000DFD57  40                inc eax
000DFD58  40                inc eax
000DFD59  40                inc eax
000DFD5A  40                inc eax
000DFD5B  40                inc eax
000DFD5C  40                inc eax
000DFD5D  40                inc eax
000DFD5E  40                inc eax
000DFD5F  40                inc eax
000DFD60  40                inc eax
000DFD61  40                inc eax
000DFD62  40                inc eax
000DFD63  40                inc eax
000DFD64  40                inc eax
000DFD65  40                inc eax
000DFD66  40                inc eax
000DFD67  40                inc eax
000DFD68  40                inc eax
000DFD69  40                inc eax
000DFD6A  40                inc eax
000DFD6B  40                inc eax

Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/c0G6qHgJ.aO	1903616 bytes
SHA-256: `54297f53dbfefbfe8a5b07a9e31aeeae42fe4085994054acc1b1ccbb346dc4e9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML xl/embeddings/c0G6qHgJ.aO Ole10Native stream: Ole10Native	1885775 bytes
SHA-256: `75ff07334b89e5280a89a54d7b6386a61295ca502933aa0a98f058c5d39d0f67`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.