Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6e31cf41c4bc4a5f…

MALICIOUS

Office (OOXML) / .XLSX

756.1 KB Created: 2019-02-26 14:42:35 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-07-26
MD5: 9383c85bcf54cd0f5b0e2d0fd17ce360 SHA-1: d99e297f74836e43deb2c8ec5d6332df2f82de9d SHA-256: 6e31cf41c4bc4a5f7933018e05b5cfbceb0d0acac6af32f2143c2567b5145e51
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. This object has an anomalous Ole10Native stream, indicating it likely carries a malicious payload. The document body contains invoice-like text, suggesting a lure to trick the user into interacting with the embedded object.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/F0L0hXP.1L0X contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d61df1f000582deeb47362dd4eb71159481ca871d1aeb41d7d4717648a0fa2da		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/F0L0hXP.1L0X 1092608 bytes
ooxml_oleobject_00_ole10native_00.bin
176235794cf2d9f17390c661a789c2f676ab27914ba81bf26ad8a933ea398344		 ole-package OOXML xl/embeddings/F0L0hXP.1L0X Ole10Native stream: ole10NaTIVE 1081360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.