Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5de358ba307bae67…

MALICIOUS

Office (OOXML) / .XLSX

623.6 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-21
MD5: 8bfc6b49f84cc9d074649f1334873b00 SHA-1: babe83508eb20d9ab9945b95c3f7501279072ed7 SHA-256: 5de358ba307bae67bf2d3b5fb0f1bb25a48bcbfd0f09f0946cebeaacec85087d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be a vector for exploits. The 'OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY' heuristic indicates that this object carries a payload-like stream with an anomalous size, strongly suggesting it's designed to execute malicious code. No scripts were extracted, but the presence of the exploit object is sufficient evidence of malicious intent.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lpWC.47kFaEl contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c0582e9486b7ffb8783680ee4564e57e118dd6cd383844710ace5abf878ed5c4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lpWC.47kFaEl 860672 bytes
ooxml_oleobject_00_ole10native_00.bin
3d4df1a1c29e9f2e057b3f9cf58e535e2a512f872a150d39f1ccd62bd07a0bed		 ole-package OOXML xl/embeddings/lpWC.47kFaEl Ole10Native stream: olE10NAtIVe 851076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.