Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5441bde37c0452f4…

MALICIOUS

Office (OOXML) / .XLSX

717.9 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8eaefa107f8438bdd85cec433b72e560 SHA-1: fa27ea072b72fd99d064079121f269ff8b915020 SHA-256: 5441bde37c0452f4fd29a10cbc39b6f68027c4bebcc1391f3da65a7fb74f5b06
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object. The high-severity heuristic 'OLE_EQUATION_EDITOR' specifically identifies this object as an Equation Editor, a common vector for exploiting vulnerabilities. The presence of this object strongly suggests an attempt to exploit a vulnerability within the Equation Editor component to execute malicious code. No scripts were extracted, and the document body appears to be legitimate commercial data, indicating the maliciousness is likely contained within the embedded OLE object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/KnhTM0O.ID1I6eK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
fec4e50fbc191f79361248f6f7a625aa2e35185eecc6442a5a49fae61516469a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/KnhTM0O.ID1I6eK 1060352 bytes
ooxml_oleobject_00_ole10native_00.bin
e9cb64d9ce4e19989fabb7cee13f2ca86455ee6e3d961880eae537594a83c255		 ole-package OOXML xl/embeddings/KnhTM0O.ID1I6eK Ole10Native stream: ole10natIVE 1049270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.