Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 443d59bcd7b54565…

MALICIOUS

Office (OOXML) / .XLSX

791.0 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-06-23
MD5: d4c7e06d4fdd9d29ab55d1745c763f32 SHA-1: 5b1d0906d714f97d1c1ebc32888a9de2f2746170 SHA-256: 443d59bcd7b54565a055c46774ce86686e3fd4fecc31d7c032cc6c50f0f08b61
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document identified by ClamAV as 'Xls.Downloader.Trojan-aa0b8f388d8573cd'. Static analysis revealed an embedded OLE object, specifically an Equation Editor object, which exhibits anomalies in its Ole10Native stream size and entropy. This suggests the object is not standard and likely contains a malicious payload. The presence of these indicators points to a downloader or dropper functionality, where the embedded object is used to execute a secondary stage.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wGDY.JWZY contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bb537daece175aaf0a0bcc73f9c0048518d2dd2f17215ef4ae428815be90921a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wGDY.JWZY 887296 bytes
ooxml_oleobject_00_ole10native_00.bin
094fbd736d81855178a62bc9ab9311dad2a8c017d0adb42a6a1253af846c75c6		 ole-package OOXML xl/embeddings/wGDY.JWZY Ole10Native stream: olE10NAtiVE 878020 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.