Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 76403ef39cec24f8…

MALICIOUS

Office (OOXML)

634.7 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300
MD5: 0857e270a22bef612c48517e07e00be2 SHA-1: 4b432ed73dc559038ae9478fc86d94e838db4ad2 SHA-256: 76403ef39cec24f8aa7e8a428ec7b05af2feebb5168e402f4244a6bc94a0faa9
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1137.001 Office Application Build Process

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently exploited to deliver malicious content. The document body contains tabular data resembling financial records, which could serve as a lure to encourage user interaction with the embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/mKr.QrG contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3be8c259ad5d0bd28e6b113538d77fa6bf81702dbe49cc9b89055c3894f33be7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/mKr.QrG 914432 bytes
ooxml_oleobject_00_ole10native_00.bin
40b1a88156f3ab7487f0dcd94a56079fcdab0a72b2992a89100d35a02068bdbc		 ole-package OOXML xl/embeddings/mKr.QrG Ole10Native stream: oLE10NAtiVe 904850 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.