Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4ffce522bc2d6233…

MALICIOUS

Office (OOXML) / .XLSX

730.3 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-02-06
MD5: 6cf4a5b86aab2ad6f8fd4c69156001b1 SHA-1: 7a7702abe3f0a587e01fa053d778677ec05cd1b3 SHA-256: 4ffce522bc2d623335ecfb5a740e8fa84f281f821725ebac14dec3838e5bae35
160 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1566 Phishing

The file is an Excel document identified by ClamAV as Xls.Downloader.Trojan. It contains an embedded Equation Editor OLE object with an anomalous Ole10Native stream, indicating it carries a payload. This structure strongly suggests the file is designed to exploit vulnerabilities within the Equation Editor to download and execute a secondary stage, typical of a downloader trojan.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ZH.qX contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4d2f304736850c631dc2f8ab668bb7ac1079de77b2ff62f8b9a8fcc8d77fd94a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ZH.qX 831488 bytes
ooxml_oleobject_00_ole10native_00.bin
db4763f5b836a1ae95d8713ad6278b167be9b83a844bf1181d2aa5b7f25604fd		 ole-package OOXML xl/embeddings/ZH.qX Ole10Native stream: oLe10NATiVE 822301 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.