Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3ab81f5ab9acef1e…

MALICIOUS

Office (OOXML)

718.8 KB Created: 2020-01-08 16:45:10 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-05-23
MD5: 87a1a0fde76e06ef439a382bc9cc5ce2 SHA-1: 8b718415c2d36487cdf54d136667a17e4b2e8b94 SHA-256: 3ab81f5ab9acef1e0303560aec83592a433742fa05f00de9f9c41f2eb19c409e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object, identified as an Equation Editor. This object has an anomalous Ole10Native stream, indicating it likely carries a malicious payload. The presence of an embedded OLE object, particularly an Equation Editor, is a common technique for exploiting vulnerabilities to execute arbitrary code. The document body contains what appears to be order or inventory data, likely a lure.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/qLViv10uX.IiDbJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/qLViv10uX.IiDbJ 1052672 bytes
SHA-256: af0ce11206867862004af590aa1c01092a8cf1ad9b1d898f28a4d695958bbe9c
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/qLViv10uX.IiDbJ Ole10Native stream: oLE10naTIvE 1041880 bytes
SHA-256: 456ee3ad2709d3e8e6f56d7b838c2a1cff4e223bdb54a3dc9586f51fd0b1e4f9

Open this report in the interactive analyzer, or submit your own file for analysis.