Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 68e5960b0d641f76…

MALICIOUS

Office (OOXML) / .XLSX

651.7 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-07-27
MD5: a3323ba2de585840d0741846e7139577 SHA-1: d794595a6e687d7f739713685e7e4adf443316cd SHA-256: 68e5960b0d641f766ec18dd871d3010acd4271eab5aa67862e26408f66cae567
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model and Distributed Component Object Model T1204.002 Malicious File

The sample is an Excel document containing an embedded OLE object, specifically identified as a Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and size difference, strongly suggesting it's being used to deliver a secondary exploit or payload. The document content itself is a fake purchase order, likely intended to trick the user into opening or interacting with the malicious embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9gr0gi.2H4rwX contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
105f25b14799d2ece8f31f90f5fe28eecc7659068ffae0c80aef060877b8ba88		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9gr0gi.2H4rwX 882176 bytes
ooxml_oleobject_00_ole10native_00.bin
6ed41239a2963621306c0bc64d11fe71d65c2f1e581d0c5a94edb0ffb2d16310		 ole-package OOXML xl/embeddings/9gr0gi.2H4rwX Ole10Native stream: Ole10nAtiVE 872796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.