Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5be3141dc1b3f469…

MALICIOUS

Office (OOXML) / .XLSX

36.3 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 15.0300
MD5: af3f2cae980e8b3cedd44eaa95952f63 SHA-1: c7a99dac364b7a97db06b2fededade21ac946d52 SHA-256: 5be3141dc1b3f469d4188d60f94dc78e505926dc54c927edff7ade8ea142ef72
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor object. Heuristics indicate a high likelihood of exploitation for CVE-2018-0798, which allows for arbitrary code execution when the object is activated. No document body or scripts were extracted, but the presence of the vulnerable object strongly suggests an exploit attempt.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5bff13407ca06e265a5a778eff04c646d68327bfb0e33caaa2e339f467bdb19c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
ooxml_oleobject_00_ole10native_00.bin
cc4f405c8b94f3e02fcd0c7ca772ba0a824891bbb64b6a0278d5e6c3d99caae9		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 1637 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.