Office (OOXML) / .XLSX malware analysis — malicious · 60284d4addfe110a

MALICIOUS

Office (OOXML) / .XLSX

8.5 KB Created: 2021-04-28 14:40:56 UTC Authoring application: Microsoft Excel 15.0300

MD5: b912c0468eb8c6c31ca83a4de21ed61b SHA-1: 90cff4012407fb190d10bec7ec62639869e8b6f4 SHA-256: 60284d4addfe110a64651f10cfd4873f71b7a7e6e6c32aa3f1308a0ca7578d7f

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a malicious Excel file containing an embedded OLE object that exploits CVE-2018-0798 in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the embedded object is activated, likely leading to the download and execution of a secondary payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `be93d0417b77b3ef500e0cf40fc0d07a32560170414e288865d0ec83cc09c5e1`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	3584 bytes
`ooxml_oleobject_00_ole10native_00.bin` `66286cf7134f8c5dbef6d498deb1fe9d05ca7f86151d1b1740195781ceaa7c15`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: ole10NAtiVe	1440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.