Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 68252643b36f766b…

MALICIOUS

Office (OOXML) / .XLSX

662.9 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2024-06-14
MD5: 00d220269917337e5216bb2f7dbc0f54 SHA-1: 0d461644f2acc796110f61bceab5b74328d0b0c7 SHA-256: 68252643b36f766b0cabe8dba39f8b407f774f934cb9671de7b874a62cbe4b67
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. High-severity heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared size than the actual stream. This strongly suggests the exploitation of a known vulnerability within the Equation Editor to execute arbitrary code. No scripts were extracted, and the document body content appears to be unrelated commercial text, indicating the malicious functionality is likely contained within the embedded OLE object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Y6Wa5R1o.ON contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6faa5d5f5895acce70049631c162ed30f1749fab5dcbea119ae0460f9b4bc5c8		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Y6Wa5R1o.ON 975872 bytes
ooxml_oleobject_00_ole10native_00.bin
7aef94635239523d58621187b6da3428561d041718b129bed7d4bb4dd8a0091a		 ole-package OOXML xl/embeddings/Y6Wa5R1o.ON Ole10Native stream: OLE10natiVe 965777 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.