Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3b9766cbc7748946…

MALICIOUS

Office (OOXML) / .XLSX

12.8 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: d326c24731e7d605642bde6d957920aa SHA-1: d93aeff54ded484bde11a31de2f57865b8c4fa49 SHA-256: 3b9766cbc77489463dfe9a4e59dbe6ee91c7e4545da8077835adf3788cbaa875
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. High-severity heuristics indicate the presence of CVE-2018-0798, a vulnerability associated with anomalous Equation Editor native streams. This strongly suggests the document is designed to exploit this vulnerability upon opening, leading to arbitrary code execution. The embedded OLE object is the primary vector for this exploit.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7e9901712baaa80e2e6952e350773687c457c30082596ccb436e985a296b1c94		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4608 bytes
ooxml_oleobject_00_ole10native_00.bin
859d07eebb6d91fca8303f8fd47c188cb436928ffe035321e4c070e76cd6c851		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OlE10nAtivE 2182 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.