Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 47528741b742af8d…

MALICIOUS

Office (OLE) / .XLSX

32.5 KB
MD5: d483c2228ea8170a27b253e261a1920b SHA-1: 6e3a965ce74c7a12aa890112c3edc08f9b7b3c8b SHA-256: 47528741b742af8ddf02e69da244ff02e379558f086bd4f8d654655bcfe6f061
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The OOXML document is encrypted with a default password, indicating it's likely a carrier for malicious content. The presence of an embedded OLE object further suggests an attempt to conceal and deliver a secondary payload. Without further analysis of the OLE object, the exact attack vector and family remain undetermined.

Heuristics 2

  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.