Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3f7dce77eb0dc3f4…

MALICIOUS

Office (OOXML) / .XLSX

596.3 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-03-03
MD5: be0aa483dbe3de9a3582edfa5b731a3f SHA-1: 9b03b55e46e10ed8de63fccb1e3c1247174dc451 SHA-256: 3f7dce77eb0dc3f452f0e5e3ab6650aaa277b335d5267c8a4a786d9b50866d35
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream, with an anomalous declared inner size significantly larger than the actual stream size. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The document body presents a purchase order, likely a lure to entice the user to open and interact with the malicious content.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Tb.U0GGSx contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
aeb7c9fb6b6c0dbda857dd31db13620f28256cef7957d265896f7a2bd0a55eff		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Tb.U0GGSx 803328 bytes
ooxml_oleobject_00_ole10native_00.bin
112b44d7db13d19ed83acaa50fe85adff3e362038a25bddea9d77d9229c79db2		 ole-package OOXML xl/embeddings/Tb.U0GGSx Ole10Native stream: oLE10naTiVe 794144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.