Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4611eb781a6c07ec…

MALICIOUS

Office (OOXML) / .XLSX

746.5 KB Created: 2020-05-18 06:42:12 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-02-25
MD5: 7a4f6d572953825cdd06fe211630aea5 SHA-1: 9de56dd9c3b92578c540f04b6a41adadb9ad0429 SHA-256: 4611eb781a6c07ec713c62706f05f4b9de4d40e0b8772322e698404754a39419
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The embedded OLE object is the primary indicator of malicious intent, likely serving as a dropper for further malicious payloads. No scripts were extracted, and the document body content appears to be legitimate business data, suggesting the exploit is the sole malicious component.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/OCD62Cl.cT6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cb723d94f91b72511dace1792b2ea1388f2db709648f3e26fda020f40c38b826		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/OCD62Cl.cT6 991232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.