Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4c79363168eb45ad…

MALICIOUS

Office (OOXML) / .XLSX

1.24 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: e4d8a37f7792201820ae2861a6dd78a0 SHA-1: 5fdf7a573cf36420ce28708b615e851b7b2e6d8b SHA-256: 4c79363168eb45ad9c85a057a2f4eb1e7612166971db05e4f3bd5a0f2174f8a5
170 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The critical ClamAV heuristic and high-severity heuristics for OLE Equation Editor objects indicate the presence of a malicious payload. The anomaly in the Ole10Native stream size suggests it's designed to deliver an embedded exploit or downloader. The file is an OOXML XLSX document, and the presence of an embedded OLE object, specifically the Equation Editor, is a common delivery mechanism for exploits targeting vulnerabilities in that component.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.af2fa5c5d0587870-9978799-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.af2fa5c5d0587870-9978799-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/tiff/1.0/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ea91673dc007f318dc0863552c9dcb9e311c3d5ffc97fc1776c083cd746b9570		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 964096 bytes
ooxml_oleobject_00_ole10native_00.bin
7ff4ab6bb2da041fadc6a37ff50ec36f75599e267ba2c4655237efe2701c70b0		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10nAtivE 953944 bytes
ooxml_oleobject_01.bin
69ff6ffa426ff9afba41e05756d29b94b1d720ee854fe9c6af2267155ca0719c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 10240 bytes
ooxml_oleobject_01_ole10native_00.bin
59fb77315591a55324873430963abffa12244adc4996302250a87d8a758a5796		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 8667 bytes
emf_00.emf
31ae0d48b97e73244e85ccbeb60c273c7b0db3eb16e92dfe88bedfb4bc1046b8		 ooxml-emf OOXML EMF part: xl/media/image8.emf 648132 bytes
emf_01.emf
94e10c7cad1dd3032ab04923f846fd068913c54679dbc38570c3d0cf0ad0c3a7		 ooxml-emf OOXML EMF part: xl/media/image9.emf 7608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.