Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 680218710b568ed6…

MALICIOUS

Office (OOXML) / .XLSX

632.0 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: 67c6925d5b022483822ffaa278bb874a SHA-1: 7ca5a2deaac3da997477263ccea7bbd4fb5225f9 SHA-256: 680218710b568ed6f5c128f73346d00759912dda019c8056139125da5d3792ea
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document contains invoice-related text, triggering the SE_INVOICE_LURE heuristic. It also contains an embedded OLE object, specifically an Equation Editor object, which is a common vector for exploiting client-side vulnerabilities. The presence of these indicators suggests the file is designed to lure the user into opening the embedded object, which likely contains a malicious payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ejF.PBvk contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0f880d57632c79cc344846234918082f796380a0088f3798c7b3e5bdf6a8a0c4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ejF.PBvk 902656 bytes
ooxml_oleobject_00_ole10native_00.bin
79fc4d0c2d5bf80868b3a71f777089f8114125feefc456e75adade04a4ec8cab		 ole-package OOXML xl/embeddings/ejF.PBvk Ole10Native stream: Ole10Native 893236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.