Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 3c5c6fa81cf92ded…

MALICIOUS

Office (OOXML)

742.4 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-05-23
MD5: 9a51e3b1a5d82729da22b40768e5e372 SHA-1: 2e9d99f4be8764de3718278a8c22b9226ccf4059 SHA-256: 3c5c6fa81cf92dedeef652b2d7b12a372bd1b693360957c2142a1f11ad2f681c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this Equation Editor object contains an anomalous Ole10Native stream, suggesting it carries a malicious payload. The presence of a NOP sled further supports the exploitation of a vulnerability for client execution. The document body content appears to be a list of part numbers and quantities, likely a lure.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/mzu.UggZ8y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
    Disassembly
    Attempted x86 opcode disassembly
    00003385  90                nop
00003386  90                nop
00003387  90                nop
00003388  90                nop
00003389  90                nop
0000338A  90                nop
0000338B  90                nop
0000338C  90                nop
0000338D  90                nop
0000338E  90                nop
0000338F  90                nop
00003390  90                nop
00003391  90                nop
00003392  90                nop
00003393  90                nop
00003394  90                nop
00003395  90                nop
00003396  90                nop
00003397  90                nop
00003398  90                nop
00003399  90                nop
0000339A  90                nop
0000339B  90                nop
0000339C  90                nop
0000339D  90                nop
0000339E  90                nop
0000339F  90                nop
000033A0  90                nop
000033A1  90                nop
000033A2  90                nop
000033A3  90                nop
000033A4  90                nop
000033A5  90                nop
000033A6  90                nop
000033A7  90                nop
000033A8  90                nop
000033A9  90                nop
000033AA  90                nop
000033AB  90                nop
000033AC  90                nop
000033AD  90                nop
000033AE  90                nop
000033AF  90                nop
000033B0  90                nop
000033B1  90                nop
000033B2  90                nop
000033B3  90                nop
000033B4  90                nop
000033B5  90                nop
000033B6  90                nop
000033B7  90                nop
000033B8  90                nop
000033B9  90                nop
000033BA  90                nop
000033BB  90                nop
000033BC  90                nop
000033BD  90                nop
000033BE  90                nop
000033BF  90                nop
000033C0  90                nop
000033C1  90                nop
000033C2  90                nop
000033C3  90                nop
000033C4  90                nop
000033C5  90                nop
000033C6  90                nop
000033C7  90                nop
000033C8  90                nop
000033C9  90                nop
000033CA  90                nop
000033CB  90                nop
000033CC  90                nop
000033CD  90                nop
000033CE  90                nop
000033CF  90                nop
000033D0  90                nop
000033D1  90                nop
000033D2  90                nop
000033D3  90                nop
000033D4  90                nop
000033D5  90                nop
000033D6  90                nop
000033D7  90                nop
000033D8  90                nop
000033D9  90                nop
000033DA  90                nop
000033DB  90                nop
000033DC  90                nop
000033DD  90                nop
000033DE  90                nop
000033DF  90                nop
000033E0  90                nop
000033E1  90                nop
000033E2  90                nop
000033E3  90                nop
000033E4  90                nop
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/mzu.UggZ8y 1046528 bytes
SHA-256: 5485b956874fff34100f2795ce0fcca9c902f9875d6d4ae224b41a29aa091f95
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/mzu.UggZ8y Ole10Native stream: ole10NaTiVe 1035834 bytes
SHA-256: 771bd7a893cd1236eeb977bfdcd50d2c9488a3f16232843f8ecff4862eca2d09

Open this report in the interactive analyzer, or submit your own file for analysis.