Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 705e99b7d24df451…

MALICIOUS

Office (OOXML) / .XLSX

722.0 KB Created: 2023-08-10 22:47:12 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-12
MD5: 98a4186a1ccfadb25b14720703ca5a2b SHA-1: f24fb763798acb3d233eb7afa391823817ba2161 SHA-256: 705e99b7d24df451ab51ed24b04547e20d24aead3404c6e32891069c07c3b998
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an XLSX document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be exploited to deliver malicious payloads, often by leveraging vulnerabilities like CVE-2017-11882. The presence of this object strongly suggests an attack pattern aimed at exploiting this vulnerability to execute arbitrary code.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/CfI1v8E.WU0q3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cc5ca2ff2b56a8b7e11cdf63dbc59fdcd4d46279f454cf4404e9a04b2573a115		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/CfI1v8E.WU0q3 1025024 bytes
ooxml_oleobject_00_ole10native_00.bin
7e40220354b5e0d17faeda68242d3dc3b6a84d98dbddddb4e3e5eaf26c5bfe4c		 ole-package OOXML xl/embeddings/CfI1v8E.WU0q3 Ole10Native stream: ole10naTIVE 1014473 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.