Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6bba78df2ac67668…

MALICIOUS

Office (OOXML) / .XLSX

760.9 KB Created: 2024-09-30 12:55:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: 334d7d30d9327e30d300d5ed3326d098 SHA-1: cdac6096bcc46f8ab2d668bba92d124beb7794d4 SHA-256: 6bba78df2ac67668eb837a1593b6c1e3fc198fa4c1a4725a5d2370f8121c3a3b
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. The document body text is formatted as an invoice or payment notification, suggesting a lure to trick the user into interacting with the embedded object. This combination of an invoice lure and an embedded OLE object is a common tactic for delivering malicious payloads.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Rp9R.IUOF contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3d1639a1dc8720e44b1b267ffd587785fd12ab9f27c192ea78af425e500e8a24		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Rp9R.IUOF 944640 bytes
ooxml_oleobject_00_ole10native_00.bin
b80d5dfd7ea2d6e38957ee20b4a58f791a9603185c5dc1b63208637d9cc621d9		 ole-package OOXML xl/embeddings/Rp9R.IUOF Ole10Native stream: Ole10NATIvE 934659 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.