Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 762e99d8e26289c2…

MALICIOUS

Office (OOXML) / .XLSX

629.7 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-10-17
MD5: ae02185eea70600ba6883df325a8a390 SHA-1: 76d2b03a44cb1c3922b78fdda044a17ed2ab1d63 SHA-256: 762e99d8e26289c2a8014630bee7905e0b1676aadae74fe1f063e0cd485df800
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's being used to deliver malicious content. The large declared inner size compared to the stream size further supports this. This technique is commonly used to exploit vulnerabilities in the Equation Editor to execute arbitrary code.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/DbVGb0uW.f1Ec contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cea7631affdc0cd8f4336a306ced4d52d6499d2a38ead1bda95c3763ed4a706b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/DbVGb0uW.f1Ec 865280 bytes
ooxml_oleobject_00_ole10native_00.bin
1b7259d80be77ad2f6abed145583fb2e061ac68271b406d9c7239faa9771b0a3		 ole-package OOXML xl/embeddings/DbVGb0uW.f1Ec Ole10Native stream: oLe10NatIVe 855708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.