Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 440be14bec205816…

MALICIOUS

Office (OOXML) / .XLSX

614.4 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3f9dfa8c63fafda033f20d6cf2405398 SHA-1: df9c795db3646456d91817969c7c2100652a426a SHA-256: 440be14bec2058169a497df4d9dbc3d46fa31ac1ce43f82d365fd477bad118ff
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique for exploiting vulnerabilities in Microsoft Office applications to execute arbitrary code. While no specific exploit or payload was directly identified in this static analysis, the presence of the Equation Editor OLE object strongly suggests a malicious intent, likely to deliver a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/OB.WK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c95f11a351d3a002925df5e32a6bc3e5129dca94f699294d35fdd2336edb02ea		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/OB.WK 884736 bytes
ooxml_oleobject_00_ole10native_00.bin
10ee9dfedb1dec3f841130862bd07fc380853ec75f21320cbe9bdefbd68c28a2		 ole-package OOXML xl/embeddings/OB.WK Ole10Native stream: Ole10Native 875201 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.