Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 4ad952ab97c66320…

MALICIOUS

Office (OLE) / .XLSX

251.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-12-07
MD5: c9d30445ceb475c92d5edf1487feaa3e SHA-1: e10efae8927175486f3331a0fa175bd911d90346 SHA-256: 4ad952ab97c6632023b2f5cba3714a5b198aa428cca3b212388c3d522f65a928
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing indicates the presence of a payload exploiting CVE-2017-11882 within an Equation Editor OLE object. This technique is commonly used to achieve arbitrary code execution. No document body or script content was available for further analysis, but the exploit itself is sufficient evidence of malicious intent.

Heuristics 3

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • x86 GetPC stub (CALL $+5; POP EBP) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EBP)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
45f657068376f276b7dda01e02d866e7cf3fdc7005aa897a5d8825fe12165aac		 ole-package OLE Ole10Native stream: MBD011E127E/Ole10Native 9818 bytes
ole10native_06.bin
869266951af5fed7b59bf54fc43fe64aff2a872db4517438495ed4bb6bf022aa		 ole-package OLE Ole10Native stream: MBD011E1284/olE10nAtIve 1558 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.