Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3f7ac7e60df9a3c6…

MALICIOUS

Office (OOXML) / .XLSX

2.00 MB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: b71f9aae7bf33cb0e64557e8d18a2fd2 SHA-1: 78411412238761505191036ac37fca1fb2fd0ae6 SHA-256: 3f7ac7e60df9a3c6997533c2a2532985c689e53300fa9503d7179dba93f7988d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an XLSX file containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded object's filename is also provided as an IOC.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/dpmaa3.PZuNhy7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d1cfa94d233dd31b2faaadb5da22c50628fbec10c22ae1bfeafae3b1f4a9f8e0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/dpmaa3.PZuNhy7 2807296 bytes
ooxml_oleobject_00_ole10native_00.bin
68c0138f5220ca7268e4b31c9be353b93ae957bc813d863d8acbc6bbc2c11bd4		 ole-package OOXML xl/embeddings/dpmaa3.PZuNhy7 Ole10Native stream: OLE10naTiVE 2782871 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.