Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 41a0f0f8f10907c6…

MALICIOUS

Office (OOXML) / .XLSX

712.2 KB
MD5: 988addbc96a38f36784f68b87b5fce7e SHA-1: 68c058f22f951d89cdf25f406c6d4f551c15160e SHA-256: 41a0f0f8f10907c6d66be9fa76f4e23e2f69cfa58f19f3e0c6ac084777fd0e20
110 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The file contains an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and size discrepancy, strongly suggesting exploitation of a vulnerability within the Equation Editor. The presence of external hyperlinks, including one to Reddit, further supports a delivery mechanism aimed at luring users into interacting with malicious content. No scripts were extracted, but the OLE object's structure is sufficient to infer a payload delivery attempt.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (710) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 710 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.reddit.com/r/dogecoin
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.iconomi.net/
    • https://www.coinist.io/press-releases/
    • https://blockstack.org/
    • https://icopressrelease.com/
    • http://www.icoduniya.com/
    • http://btcwarriors.com/
    • https://www.tezos.com/
    • https://bitcoinblackhat.com/
    • https://crypto20.com
    • https://coinforum.ca
    • https://tokenbox.io/
    • http://altcoinalerts.com/press-releases-ico/
    • https://grayscale.co/
    • http://icocrowd.com/send-a-press-release/
    • https://www.taas.fund/
    • http://worldcoinindex.com/
    • https://www.bitcoin-millionaire.com/forums/
    • https://thetoken.io/
    • https://icotimeline.com/tag/press-release/
    • http://tokenmarket.net/
    • https://bitco.in/forum/
    • https://blackmooncrypto.com/
    • https://coindelite.com/ico-press-release/
    • https://bitcoinforum.com
    • https://www.astronaut.capital/
    • http://icocalendar.today/
    • http://blockchain.capital/
    • https://icopanic.com/submit-press-release/
    • http://coinschedule.com/
    • https://thebitcoinstrip.com/free-bitcoins/
    • https://satoshi.fund/
    • https://blokt.com/submit-a-press-release
    • http://52ico.com/
    • https://bitcoingarden.org/forum/
    • https://www.panteracapital.com/
    • https://bitcoinexchangeguide.com/ico-press-release-marketing/
    • http://icoalert.com/
    • https://multicoin.capital/
    • https://londonletter.org/submit-ico-press-release/
    • http://coinhills.com/
    • https://forumbitcoin.co.id
    • http://polychain.capital/
    • http://cryptocoincharts.info/
    • https://triaconta.com/
    • https://cryptofame.io/ico-press-release/
    • http://allcoin.com/
    • https://melonport.com/
    • http://bluemagic.info/
    • https://bitcoinchaser.com/press-release
    • http://icorating.com/
    +519 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c354e74f139e24da72f95a0a862b5d93e9ab586d974f7d65a22a882dc774544f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 1022464 bytes
ooxml_oleobject_00_ole10native_00.bin
00edaa3e7792f0c11e77d5c45f55450edf8ed3e9960fb1bd4ae0c8b57d5e6396		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OlE10naTIvE 1012180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.