Office (OOXML) / .XLSX malware analysis — malicious · 518936b9c2caa9bd

MALICIOUS

Office (OOXML) / .XLSX

748.4 KB Created: 2021-12-06 14:45:17 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-05-12

MD5: 4787954bd0dd2654134b04309a0503fc SHA-1: 837ea70b966dad08ff1634c1ea90cce2bb2087b8 SHA-256: 518936b9c2caa9bdf35829903c0dcb7e033c9b82c2a772b096908674f4e9c7b7

100 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component. The presence of a NOP sled further indicates shellcode execution. While no VBA or scripts were explicitly extracted, the embedded OLE object is the primary vector for exploitation, likely leading to the download and execution of a secondary payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/IqGEIAU.FGa32oQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `a78f4b6c3e142c06242263ebfeca7e61a1399e568482747f750b52fc3abf4d2b`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/IqGEIAU.FGa32oQ	1026560 bytes
`ooxml_oleobject_00_ole10native_00.bin` `275ed700ec6611fa09be2e880dce80de4494d39a1dcbde3598c70da47e053517`	ole-package	OOXML xl/embeddings/IqGEIAU.FGa32oQ Ole10Native stream: ole10nAtIVe	1015814 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.