Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 3ffab2379543cd74…

MALICIOUS

Office (OOXML) / .XLSX

805.0 KB Created: 2020-10-08 19:32:34 UTC Authoring application: Microsoft Excel 12.0000
MD5: b0519ab985bf00c58bf72c8c0b57cac4 SHA-1: bc46f1a57dcf145f0e3e45e360adb77be8bbc6d5 SHA-256: 3ffab2379543cd74e1e8ef2b3fcba558dfc8e2ec5346a7c7b682bda647ce4973
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1137.006 DLL Search Order Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently exploited to deliver malicious content. The document body, while appearing to be an invoice or delivery order, does not contain explicit malicious text but the presence of the embedded OLE object is a strong indicator of malicious intent. The embedded OLE object itself is the primary IOC.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Gqh1Izn.AU6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a8ba30edd1b0ef6c40ca08d28b5f5416fd091f3b3dd9d565bd5270c2dd7293e3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Gqh1Izn.AU6 997888 bytes
ooxml_oleobject_00_ole10native_00.bin
cecb35eb73418008ab09adc52ec8bbe1b7e88e043e3deb099ae7cb85ffc6213f		 ole-package OOXML xl/embeddings/Gqh1Izn.AU6 Ole10Native stream: olE10NaTive 987494 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.