Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 60695d4f3ad03374…

MALICIOUS

Office (OOXML) / .XLSX

627.5 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-29
MD5: aea0bcf38202e49ea03d9f5a60e44d54 SHA-1: dd024ca2ef5da48e80e91f84d4c99df80227006c SHA-256: 60695d4f3ad0337405d209f5d54335bb5a8e68c5086e62a3d74faea175ab2b73
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's being used to deliver malicious content. The presence of this anomalous object strongly points towards an exploit targeting the Equation Editor vulnerability.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/FL.3bmhjj5 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3ae9d784b625ac96a2a2000a25ab712139a1bb7a58e230ce3de9cac18448a81f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/FL.3bmhjj5 929280 bytes
ooxml_oleobject_00_ole10native_00.bin
8c505bef057a8b72c03c7208ebdfc213d6122783678026ac30b53b87f89984f3		 ole-package OOXML xl/embeddings/FL.3bmhjj5 Ole10Native stream: Ole10NatiVe 919120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.