Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 51ca0005c77e1e69…

MALICIOUS

Office (OOXML) / .XLSX

615.7 KB Created: 2021-12-06 14:45:17 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-06-02
MD5: eec5c0e00ee6fae3bda35eb2add5f719 SHA-1: 0f459c23c37c434a3a37b990db65f127646e9c6b SHA-256: 51ca0005c77e1e698945117aee1c545c84bd01900e0005e2337e4cabaa5014e2
66 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object identified as an Equation Editor object. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of arbitrary code. No specific malware family could be identified from the static analysis alone.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ICc.3eJ9 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
408572f94132bfb74235a8afe56a077c18ec3c0e5c8acad91a4f11e7e6f5299c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ICc.3eJ9 831488 bytes
ooxml_oleobject_00_ole10native_00.bin
b77cd5997628ce61ef5b19b6754d75322424da92a011c7cf48592a08d58256d3		 ole-package OOXML xl/embeddings/ICc.3eJ9 Ole10Native stream: ole10NaTIVe 822632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.