Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 62205b3a110eaa81…

MALICIOUS

Office (OOXML) / .XLSX

678.3 KB Created: 2023-07-26 19:45:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-09-16
MD5: c32b725e343ab11b63257fdb84acafb4 SHA-1: 91e919a3427b52062e6dbda0c4254ca38554ecae SHA-256: 62205b3a110eaa81f9e5e175e6708b7607dac880cbceffbb71024b7e3c6d3e70
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded object is likely a secondary payload designed to further compromise the system.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ISc4A1gtq.BA3G contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4ee40a1a5a7d7663753882f00b78abfaa50dc61437299cfead9d0bce2ffb073c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ISc4A1gtq.BA3G 943104 bytes
ooxml_oleobject_00_ole10native_00.bin
99f400ba22d0371c72168a3d15c4590fa3f15c85b4fb76192b42bd8f3eef7c47		 ole-package OOXML xl/embeddings/ISc4A1gtq.BA3G Ole10Native stream: Ole10NATivE 932980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.