Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 77902db0430112f8…

MALICIOUS

Office (OOXML) / .XLSX

700.6 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: c0c3533deb75a6db733e297f88f0b746 SHA-1: a25821d191fab518f78ac7517bfa7e7c2b75d6af SHA-256: 77902db0430112f8116cda10ea648777d0fcf96e15436ade871280c85cd9fc73
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for 'OLE_EQUATION_EDITOR' indicates the presence of a vulnerable Equation Editor OLE object within the XLSX file. This is a common technique used to deliver exploits, often leading to arbitrary code execution. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/cQiebp.25hMnNR contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ece619e701a342a9c47dd208a04ced018527908c34c6ec6af857542b1496e555		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/cQiebp.25hMnNR 1012224 bytes
ooxml_oleobject_00_ole10native_00.bin
36fc198b8de6061649946076c551798267ed2d3d96ee86ee5522ee06d639ad87		 ole-package OOXML xl/embeddings/cQiebp.25hMnNR Ole10Native stream: OLe10NATiVE 1001834 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.