Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3bfa07ee01575a43…

MALICIOUS

Office (OOXML) / .XLSX

635.9 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: 89608d44289affa0a08963c830fbe70e SHA-1: cf0029f602dfe90e0f3f52b0d4f6a31518864084 SHA-256: 3bfa07ee01575a43c59348a40d8a9acd4cd706956e4c04bb066056cdd0cc7201
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This is a common technique used to deliver exploits, often targeting vulnerabilities in the Equation Editor component itself. The presence of this object strongly suggests an attempt to exploit the user or the application.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/l05nS00Y.pkzt contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
97da3dac0ca6203384c5f36804d3149f7e0d788837c09f690de331c6ca89f24b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/l05nS00Y.pkzt 952832 bytes
ooxml_oleobject_00_ole10native_00.bin
b91b97097c932c77fe1a3164185a61faf930d35b9b6dd038f61e3716c2d75ec9		 ole-package OOXML xl/embeddings/l05nS00Y.pkzt Ole10Native stream: oLe10naTIve 942683 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.