Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 698f15c6557a1023…

MALICIOUS

Office (OOXML) / .XLSX

735.0 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-05-24
MD5: 9927bb62c42a467ff6459e3f2ef25755 SHA-1: fed941a9bb39426562e38f0cc183aa3253e323b0 SHA-256: 698f15c6557a10232a0d78f128fc03bbd42f0efedc70ee506e041f8569e6d679
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This heuristic strongly suggests exploitation of a known vulnerability in the Equation Editor component to achieve arbitrary code execution. The document body contains what appears to be inventory or parts list data, which is likely a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lLm8U.RtMBx3r contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3dfe7fe41e28d8a06b5e05cf46441e9e4bb375f143d908cd8b48676aad295c39		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lLm8U.RtMBx3r 1044480 bytes
ooxml_oleobject_00_ole10native_00.bin
119a06658fcdec78aed446dad28c20e694a058e0d56f169bc176061d7b90ee2e		 ole-package OOXML xl/embeddings/lLm8U.RtMBx3r Ole10Native stream: oLE10NaTIVE 1034004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.