Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 662980a1e60b066c…

MALICIOUS

Office (OOXML) / .XLSX

603.5 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-09-23
MD5: 367c91e8a86520c741d271ab36f78b12 SHA-1: 9b7c7dc8a5d6521af7c2292454d185fe436a7483 SHA-256: 662980a1e60b066c942b884b8f3de36a5c1ad65cf42f1a1358711f5e976d4f38
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing a high-risk OLE object, specifically an Equation Editor object with an anomalous Ole10Native stream. This structure is indicative of an exploit, likely targeting vulnerabilities within the Equation Editor to execute arbitrary code. The embedded OLE object is the primary indicator of malicious intent, suggesting it's designed to deliver a secondary payload upon interaction.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/IExI.JPA contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
def8eb982fe0704a2dca53ca459fb55857362edd53c591fddf55a7c17af7bd15		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/IExI.JPA 824320 bytes
ooxml_oleobject_00_ole10native_00.bin
d6f76e9f81d08928ca317c2ee7efc7687a4fc3c40f4d4cc77037400b9115c48e		 ole-package OOXML xl/embeddings/IExI.JPA Ole10Native stream: olE10NatIve 815414 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.