Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4e4dd7ba2a890972…

MALICIOUS

Office (OOXML) / .XLSX

595.9 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 15ea8a534bbe830c2874850fbd4248c1 SHA-1: 0c231cc1f21bc645dffaa1b696208a3c27675eff SHA-256: 4e4dd7ba2a8909725291362a15c5bf3e4dccc17ba5881a9f2cf971e433617b0e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious File

The sample is an XLSX file containing an embedded OLE object identified as an Equation Editor. This is a known method for exploiting vulnerabilities or delivering secondary payloads. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage this component for malicious purposes, likely to execute code or download further malware.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/AEr.YuglR8Z contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f237e8ece67c039da48810a1088c1cff5c57d2213ca21c543c8ef32ae7c3d045		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/AEr.YuglR8Z 809984 bytes
ooxml_oleobject_00_ole10native_00.bin
97d88e75c1efce41ef2fd3f071cee7f8ea7ee51601a537c4401bdf7937d22a32		 ole-package OOXML xl/embeddings/AEr.YuglR8Z Ole10Native stream: oLE10NAtIvE 801124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.