Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5a83abc18a413203…

MALICIOUS

Office (OOXML) / .XLSX

702.8 KB Created: 2022-07-21 17:04:09 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-23
MD5: 61e9554c551ec5220fad8df84c412359 SHA-1: 82b800c1c224768d3855b514cb31acc5156c4f52 SHA-256: 5a83abc18a4132032711623cd0f589d0dc3307d5e2ac0f8bb779ad798ea9a90d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be exploited to execute arbitrary code. The OLE object's 'Ole10Native' stream exhibits anomalies, indicating it likely carries a malicious payload. This exploit is commonly delivered via spearphishing attachments.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Kgj1sGZ.2FTyu contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3a2ad0e80729ff79d53caaf41eaab3ecf7ee87eea82787ee213589de621181e5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Kgj1sGZ.2FTyu 1021440 bytes
ooxml_oleobject_00_ole10native_00.bin
90394d423036a6ba9c14dbbfa90452543f4b894edfa292f1aa2464a1f722dd6a		 ole-package OOXML xl/embeddings/Kgj1sGZ.2FTyu Ole10Native stream: ole10NatIVe 1011017 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.