Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 51f40a774ecc8a29…

MALICIOUS

Office (OOXML)

722.3 KB Created: 1996-10-14 23:33:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 1e565619a041714365545a4d3adfde9b SHA-1: 2523009f42186af89288da63d155742d56ca2b3e SHA-256: 51f40a774ecc8a29616c65fa9550d204363eef9b7cadf4769f5ee997c322d017
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document that contains an embedded OLE object, specifically an Equation Editor object, which is known to be used for exploiting vulnerabilities. The document body contains a lure instructing the user to 'ENABLE EDITING ABOVE' to view the content, indicating an attempt to trick the user into enabling macros or active content. This suggests the file is likely a dropper or exploit document designed to execute a malicious payload upon user interaction.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/gYmVLFv.xbal8jP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a6d31d7688e4b3b760ca29ddfae5ec8868ad32a4285ca826f5034cd44a2a49bf		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/gYmVLFv.xbal8jP 972288 bytes
ooxml_oleobject_00_ole10native_00.bin
57799078a196033e6b8d48e0f596be263f6e129cc9541dfbfefa198b9f29f146		 ole-package OOXML xl/embeddings/gYmVLFv.xbal8jP Ole10Native stream: OLE10NAtIVE 962486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.