Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 615a766ab51427a2…

MALICIOUS

Office (OOXML) / .XLSX

1.43 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-06-20
MD5: 282a753be9e47bae7d38163ce52404f1 SHA-1: 96497197b34bbbf2704051945d315c229c47f82b SHA-256: 615a766ab51427a2d02af8ed1e4c262f0bccbb24c9b2ca890cb4760eb15ea241
132 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically exploiting the Equation Editor. Heuristics indicate this object carries a payload-like Ole10Native stream with an anomalous header and high entropy, suggesting it is shellcode. The embedded URL http://www.day.com/dam/1.0 is likely used to download a second-stage payload. The presence of hidden sheets further supports the concealment of malicious content.

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0 In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 10240 bytes
SHA-256: 4634906751fad42fb1e049faadc426736582e78f28bca0e051847b17f3526d40
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 8679 bytes
SHA-256: e2a4ccb3d22d0a74503e9612b8eac3d675f9f0cdcaf1203ab9c182b0b99ac339
ooxml_oleobject_00_ole10native_00_..-_---.----------------.-.-.-.-.-_----_-_-_------------_.xlam ole-package-payload OOXML xl/embeddings/oleObject2.bin Ole10Native payload: display_name=..-_---.----------------.-.-.-.-.-_----_-_-_------------_.xlam; full_path=C:\Users\91974\AppData\Local\Temp\..-_---.----------------.-.-.-.-.-_----_-_-_------------_ (2).xlam; temp_path=; def_file= 7863 bytes
SHA-256: c3b0f8d61a90bb1c619cb9dd072c9313094ac943fc892ecfc60b648e640ee573
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 10240 bytes
SHA-256: 119e7a7013d1f03cf958f50ea7b46e827abec913db3a20c74d502ae40e7a4edd
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 8679 bytes
SHA-256: d15a0f9295214e8d7e89aaa2524eefc1c4f34c3d0e1455017ff6f6ca56b210ea
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 1076736 bytes
SHA-256: 74a110abb3ce7cb49180833d0979d53cdb34a2d158f92098deecadbfa8355a33
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: olE10NatiVe 1065761 bytes
SHA-256: 40b769c306c42600da55695a78fcb82177a1eb29fa073ac15366bc2f867d6585
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Word_Macro-Enabled_Document1.docm 122518 bytes
SHA-256: 14e1735766737db0fd1b1c59e2db5d25b197e4b1ba451cc2e04d61be4d333393
ooxml_oleobject_04.bin ooxml-ole-object OOXML embedded OLE part: xl/printerSettings/printerSettings1.bin 5420 bytes
SHA-256: 1fd5106f1cbc8eff781f74bc40d21fba15a7a29481b1f033e6d401bb4c7a13cc
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image8.emf 648132 bytes
SHA-256: 08a70584e1492da4ec8557567b12f3ea3c375dad72ec15226cafb857527e86a5
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image9.emf 7608 bytes
SHA-256: baf3b3c716b4db009c44f2051bc98a549300d9c49f8b08298a66f7395ff80b26

Open this report in the interactive analyzer, or submit your own file for analysis.