Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 498d4a722e4d8cc1…

MALICIOUS

Office (OOXML) / .XLSX

714.9 KB Created: 2022-07-21 17:04:09 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-07-06
MD5: 35a92e8fc1adfa85d7c2b6f09efa4c12 SHA-1: b1977b736f5a0153e5fe088c9edae0c356bec259 SHA-256: 498d4a722e4d8cc11a7538d74740bdb0e74617c6286564e8e937c1130a60d7e4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Office document containing an embedded OLE object, specifically an Equation Editor, which is known to be exploited to deliver malicious payloads. The heuristic 'SE_ENABLE_LURE' indicates the document likely instructs the user to enable macros or editing to facilitate execution. The OLE object's 'Ole10Native' stream exhibits anomalies in size, suggesting it contains a payload. No scripts were extracted, and the document body is heavily obfuscated, preventing further analysis of its specific intent beyond payload delivery.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/E8Abbsj.YxsQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e51e5774d0257bc46dd8b4e4f6b7189917f725d5c2b6922ffc40d0d460d8e769		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/E8Abbsj.YxsQ 967680 bytes
ooxml_oleobject_00_ole10native_00.bin
b8a2bbcf3eabea7b240e3f25b3993f58ac78b04f0123d18bf3deb04fe6257fec		 ole-package OOXML xl/embeddings/E8Abbsj.YxsQ Ole10Native stream: OLE10NAtive 957463 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.