Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 63cb2f91bcae5510…

MALICIOUS

Office (OOXML)

704.0 KB Created: 2011-08-17 10:24:39 UTC Authoring application: Microsoft Excel 16.0300
MD5: b3531b9f189469ceafcdc19587e2ab3b SHA-1: d92bfb0e0b9f59cea0675e5b0b91511a17dae7e5 SHA-256: 63cb2f91bcae5510a3d59822eccea2dee08d9484ff14ea813a4c38f78f299eb7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and size mismatch, strongly suggesting exploitation of a vulnerability like CVE-2017-11882 for client execution. The document body content appears to be a fabricated quote or estimate, likely a lure to encourage opening the malicious attachment.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3bBsytSw.aMVzWy contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
54905e9ff8845159963dfbe014c45b5d6d0e656d3827f122717ab1efa46b118f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3bBsytSw.aMVzWy 935424 bytes
ooxml_oleobject_00_ole10native_00.bin
2b77d5b6287f09291b3298bce672a36da26ff344f25e19c6a6d8984494f47712		 ole-package OOXML xl/embeddings/3bBsytSw.aMVzWy Ole10Native stream: oLE10NATiVe 925253 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.