Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3eb668ea2da7b409…

MALICIOUS

Office (OOXML) / .XLSX

848.5 KB Created: 2020-07-07 21:52:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-03-16
MD5: 7838cd2374073efd352e3afa1c2747e3 SHA-1: 325fc79704af2980bdf63b09dd3c4b10cc0cf69f SHA-256: 3eb668ea2da7b409d195c9f88f45e2ef6292d757f633a9886f963f7b2c08f5e2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the XLSX file. This object is frequently exploited to trigger vulnerabilities in Microsoft Office, leading to the execution of arbitrary code. While no specific exploit code or second-stage payload was directly extracted, the nature of the embedded object strongly suggests an attempt to leverage an Equation Editor vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
eca9873d98a653595a7e325b9246bf4b76e1b89ab5201e2b37d646930d6f4ce3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 1022976 bytes
ooxml_oleobject_00_ole10native_00.bin
8b69ce5d3811b511e721b0198d589b3716f0d7ad53fae075b1bb5cdbfe2288f2		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1012408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.