Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3a43d551d6d99c0b…

MALICIOUS

Office (OOXML) / .XLSX

645.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-07-11
MD5: 53dd7065112a0499d55ea95b73086475 SHA-1: 81e2b8962616e9834a97d7803fd87e74e4973ee7 SHA-256: 3a43d551d6d99c0b40c89e1761c5845ffa3c2ab4cb2b0890185c65d164ff8a0e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The file is an Office document containing an embedded OLE object, identified as an Equation Editor exploit. This technique is frequently used to execute arbitrary code when the object is opened. The embedded object's filename, 'QjzhLPvB.Fo', is listed as an IOC. No scripts were extracted, and the document body content appears to be unrelated business information, suggesting the malicious functionality is solely within the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/QjzhLPvB.Fo contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
fa10dd6b308559741916198abca2466f7d2c6009158ee57b4967a0974dd2337e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/QjzhLPvB.Fo 953856 bytes
ooxml_oleobject_00_ole10native_00.bin
13403d1503d351584e9769e2d1bede747b013950379b7581796cd897f861ce69		 ole-package OOXML xl/embeddings/QjzhLPvB.Fo Ole10Native stream: ole10nAtive 944034 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.