Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4de715cc8efe759c…

MALICIOUS

Office (OOXML) / .XLSX

599.7 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-25
MD5: f383adacdac479322a5c37c90edf8162 SHA-1: d3bf7075832e55aabe76f5256d58bb45f18f9704 SHA-256: 4de715cc8efe759c913068845833cf69bc46e3ab96ce6ee9a005468638b4415a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. High-severity heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's designed to exploit the Equation Editor vulnerability. The embedded OLE object is the primary indicator of malicious intent, likely leading to the execution of a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6LL.HvW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9584ac4825749ab55f380cc668d15a510394adb8bcab8725a6d722219ec7344f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6LL.HvW 838144 bytes
ooxml_oleobject_00_ole10native_00.bin
e39d856843f7453cf5383b1ba5c65fa9371bb49c315d3249f826c8a7dbcc2f05		 ole-package OOXML xl/embeddings/6LL.HvW Ole10Native stream: OLE10NAtIVe 829355 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.