Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4d6ddf9237e8dce5…

MALICIOUS

Office (OOXML) / .XLSX

589.4 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: ad8b92e44bd2d3703c895e34ca4e2865 SHA-1: 6503ab3f0a7adbeb16b389d29ed2a2c6f742bf5a SHA-256: 4d6ddf9237e8dce54263bfe1df769f0c2fb6941713b7959decc1a7822e6e8e9b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to deliver exploits, such as CVE-2017-11882. The presence of this object strongly suggests an attempt to exploit a vulnerability when the user interacts with it. No scripts were extracted, and the document body contains what appears to be financial or order data, which serves as a plausible lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/XLKOY.JQi contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
33ebf9e538946a3f9d2d461718ad00c026776adb4e7a8f7564d2c35f913ecae7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/XLKOY.JQi 814080 bytes
ooxml_oleobject_00_ole10native_00.bin
52303a80b52b04df7bf7a6cc7d0916da23c402d1720420bf84953efb91973a49		 ole-package OOXML xl/embeddings/XLKOY.JQi Ole10Native stream: OLE10nAtiVe 805273 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.