Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 6f48f11967a585d4…

MALICIOUS

Office (OLE) / .XLSX

291.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2022-12-07
MD5: 44cab1b3599621ab184fe2efd8215ce5 SHA-1: 75a3eae30a6702db15f5876d80cd7c850d35bf82 SHA-256: 6f48f11967a585d492f24fcbc4f9733d8eb9c830f9f2d2cd903e4a314d26c357
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing for CVE_2017_11882_EQUATION_OLE10NATIVE indicates exploitation of a known vulnerability in Microsoft Equation Editor. This, combined with the presence of OLE objects, strongly suggests the file is designed to leverage this exploit for initial execution. No document body or script content was available for further analysis.

Heuristics 3

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EAX)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
45f657068376f276b7dda01e02d866e7cf3fdc7005aa897a5d8825fe12165aac		 ole-package OLE Ole10Native stream: MBD01655B0A/Ole10Native 9818 bytes
ole10native_06.bin
94150347648dc61b3612f855e737b5c60b39d0a2b623803edbbdefcc5c6d8175		 ole-package OLE Ole10Native stream: MBD01655B10/OLe10NaTIVe 1600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.