Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 52b81a5a0c3fe5d8…

MALICIOUS

Office (OOXML) / .XLSX

741.9 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-09-14
MD5: 8b906ae35de951cc2d12ece37ebdc3a7 SHA-1: 64c34a2d7fa696896a17ab968abc669aa1853558 SHA-256: 52b81a5a0c3fe5d856023b2c2fa5697000398082d9678e00a8844f693c24181c
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel document containing an embedded OLE object, identified as an Equation Editor. This object has an anomalous Ole10Native stream, indicating it likely carries a malicious payload. The presence of this object is a strong indicator of an exploit attempt, likely to download and execute a secondary stage.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/sjAq5vRjZ.H9jl30x contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2d075d66ce42fbadd6de68b974204f290a64d2bccbcd86babc4065dd46d471ee		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/sjAq5vRjZ.H9jl30x 1052160 bytes
ooxml_oleobject_00_ole10native_00.bin
5d5c82252f9b98441e586a45efcc3a3fddc6b88a745c3e2428960990b6984a8f		 ole-package OOXML xl/embeddings/sjAq5vRjZ.H9jl30x Ole10Native stream: OLE10nATIvE 1041135 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.