MALICIOUS
78
Risk Score
Heuristics 5
-
Equation Editor OLE object low OLE_EQUATION_EDITOREmbedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
-
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALYEmbedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
-
Embedded OLE object medium OOXML_OLE_OBJECTDocument contains an embedded OLE object
-
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEETExcel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
🗂 Part of campaign:
i8.ae
63 samples
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
ooxml_oleobject_00.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject3.bin | 29696 bytes |
SHA-256: acbd3d081180cf310b4d6ffa90e00445f3f98fc29b73188635c4f42eece97071 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
|
|||
ooxml_oleobject_00_ole10native_00.bin |
ole-package | OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native | 28007 bytes |
SHA-256: d0e65243df358f9ee7948eadb2c9e55da3344dd9a0ee3fcc11d3188c924dc972 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.61, consistent with packed or encrypted content.
|
|||
ooxml_oleobject_00_ole10native_00_......................................................................pptx |
ole-package-payload | OOXML xl/embeddings/oleObject3.bin Ole10Native payload: display_name=......................................................................pptx; full_path=C:\Users\sys\AppData\Local\Temp\......................................................................pptx; temp_path=; def_file= | 27140 bytes |
SHA-256: f37b4a7566bd55386ec3329d873aa1d1cce22c77cde25064cb6c210121830b0c |
|||
ooxml_oleobject_01.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject1.bin | 888832 bytes |
SHA-256: 3b1ee7c01ea2609578bdaed1e1a8c045bd4b9ea9cc4d511f3b3cb86c16cea5c0 |
|||
ooxml_oleobject_01_ole10native_00.bin |
ole-package | OOXML xl/embeddings/oleObject1.bin Ole10Native stream: oLE10NAtive | 879404 bytes |
SHA-256: 3f4d6057b3c472cb740975c080cb67d1b1d10135e9504e0a6e5a79c51924042f |
|||
ooxml_oleobject_02.bin |
ooxml-ole-object | OOXML embedded OLE part: xl/embeddings/oleObject2.bin | 1535488 bytes |
SHA-256: cbae6484ac11a7c13dd9cb03019b43df94406e3408e4a2a08f06b62cf08969cf |
|||
ooxml_oleobject_02_ole10native_00.bin |
ole-package | OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native | 1520900 bytes |
SHA-256: f7bfcd2cfafe65360c900b06396fb593106749574e01161bc1df7461e65c0804 |
|||
emf_00.emf |
ooxml-emf | OOXML EMF part: xl/media/image2.emf | 3042216 bytes |
SHA-256: 072a6a893b25f4848345ae02773b4dd141c43ec598f34f1da6844dabe6ca8a42 |
|||
emf_01.emf |
ooxml-emf | OOXML EMF part: xl/media/image3.emf | 5376 bytes |
SHA-256: 879d94d1591f417622934d4264766e6c8f2e1e1e41f902d54a37027acb6fec66 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.