Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6e961dbb31821faf…

MALICIOUS

Office (OOXML) / .XLSX

723.3 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-02
MD5: 8f57d9a5a2435affc31a6fac206b995b SHA-1: 006b1472bcc82d840a68960b2077ac69e4d0922c SHA-256: 6e961dbb31821faf0ec7c28266050b01b712886fd3fb7bf15db0ffc414ef9427
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, specifically identified as an Equation Editor object. This object exhibits anomalies in its Ole10Native stream, suggesting it carries a payload. The high entropy and size discrepancy within the Ole10Native stream indicate it is likely a packed or obfuscated second-stage exploit or malware. The presence of these indicators strongly suggests the OLE object is used to execute arbitrary code.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/V7xXzjDo.vLSV contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
44d3869339bd6fbecf093ee710f85e0bb457ff7515394c4771923d4eace0a9a7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/V7xXzjDo.vLSV 989696 bytes
ooxml_oleobject_00_ole10native_00.bin
da9609fff36f9750d2408f194ca8fe2959e593125c824123ec7d5f2f9362ca25		 ole-package OOXML xl/embeddings/V7xXzjDo.vLSV Ole10Native stream: ole10NAtIVe 979151 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.