Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5783ba71624b45fc…

MALICIOUS

Office (OOXML) / .XLSX

623.3 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 6a53320764902bbed95d1df974b87ce7 SHA-1: 1f9c73567fb292ab2c86fd5e9cc0ab462f4321e8 SHA-256: 5783ba71624b45fc1a30a9826b910e665f34bfe5e243fae9f3a37ead064eb6de
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution. The embedded object's filename is also listed as an IOC. No scripts were extracted, and the document body content appears to be unrelated business information, making the OLE object the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/faL5kJRK.vJsxW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
468b61f452c17b8af2f82084a96e30d6a7ebe182df3bec421e0b09e03d15e7ce		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/faL5kJRK.vJsxW 924672 bytes
ooxml_oleobject_00_ole10native_00.bin
01daae25b40d3a4883c4394247f62f5fa0edb7142611c41666447d67cc3d0baf		 ole-package OOXML xl/embeddings/faL5kJRK.vJsxW Ole10Native stream: OLe10naTIvE 914573 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.