Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4ad223393f9495bc…

MALICIOUS

Office (OOXML) / .XLSX

672.4 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: a46f1687d48a44f7857ced39de453822 SHA-1: 1320a52ba18978576912bac47822744d4b60c677 SHA-256: 4ad223393f9495bcfd166ccf3dfb4c995125a79905aa6ef338f692fb01a7051d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an OOXML document containing an embedded OLE object, specifically identified as a Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The presence of this object strongly suggests an attempt to exploit a known vulnerability to deliver a malicious payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/DQmjzM.hrg0W contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a1b9d3439150ce8460ed332cfdbe25a24e8d28da3cb297dc2ac464ad42369a9a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/DQmjzM.hrg0W 950784 bytes
ooxml_oleobject_00_ole10native_00.bin
2e10868238c7c13f68e80debc64c76aadea08c63a74b2bb745a47f2d1555143e		 ole-package OOXML xl/embeddings/DQmjzM.hrg0W Ole10Native stream: ole10NATiVE 940986 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.