Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 52d948e1148ad680…

MALICIOUS

Office (OOXML) / .XLSX

722.9 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-09-29
MD5: b33296017fda84df4ed4eb572d597956 SHA-1: 80ee387c79fc26753c3eed2738edbe21b4a93b5d SHA-256: 52d948e1148ad6801afe4669db47fced0d7a2eaaf75fca2b0dc663511d00d51d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, specifically identified as a Equation Editor object, which is known to be a vector for exploits. The 'OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY' heuristic indicates that this object carries a payload-like stream with an anomalous header and size difference, strongly suggesting it's designed to execute malicious code. The document body content is obfuscated and does not provide direct clues to the user-facing lure.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/iE0fzW.RWTnDuP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ec9b4556c535214b61a472567a04c176792ddc60a2342a457a87ed3d58c15655		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/iE0fzW.RWTnDuP 997376 bytes
ooxml_oleobject_00_ole10native_00.bin
6bba9912bb3391881e895ce81e39497c96424f0e5f1dfba5df0536abfed47b88		 ole-package OOXML xl/embeddings/iE0fzW.RWTnDuP Ole10Native stream: oLE10nativE 986836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.