Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 62b3a8cbd12d2ad3…

MALICIOUS

Office (OOXML) / .XLSX

644.8 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 204f00fbb567da8331413f42a2ee684a SHA-1: 5bdee0bf878d12d5c4330c58043b5e43dc5e676b SHA-256: 62b3a8cbd12d2ad3e847da259c167af493d3742cf1171b41141228fa0841d323
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object carries a payload-like stream with an anomalous header, strongly suggesting exploitation of a vulnerability like CVE-2017-11882. The document body contains financial calculation data, which could be a lure or a distraction. The primary attack vector is likely spearphishing, with the embedded exploit enabling client-side execution.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xki.fQU0Nj contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
578f40914a594ba25e43e2b51bdcbe499be2e1666e7123ed6bb9298c07b18272		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xki.fQU0Nj 962560 bytes
ooxml_oleobject_00_ole10native_00.bin
fe0c55afd37b7fdf8171c76a39ec6e2108aa895a4ea1efd3b931e270930d3507		 ole-package OOXML xl/embeddings/xki.fQU0Nj Ole10Native stream: OLe10NATivE 952537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.