Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 749411684391c7f9…

MALICIOUS

Office (OOXML) / .XLSX

8.7 KB Created: 2021-04-28 14:40:56 UTC Authoring application: Microsoft Excel 15.0300
MD5: a9e12d46770540ab2936c356eca09720 SHA-1: 27584196086d9a72ca2a6474402b0ec4f22d3036 SHA-256: 749411684391c7f9f547760d0d8983feb1c835f50c031688fc96fa1608b0aea6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object identified as Microsoft Equation Editor. This component is known to be vulnerable and is frequently exploited to achieve arbitrary code execution. The high severity heuristic firing strongly suggests this is the primary attack vector.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
364df50455487a5cc635d886db96c9f436fcc925594f691da3289a51aca63c20		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
ooxml_oleobject_00_ole10native_00.bin
2c419c8e10da2c43e7a0c6831a311c5d96194ae331d25dd47c9d0ea656067e83		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10nATIvE 1867 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.