Ole2.Exploit.ZxxZDownloader Office (OOXML) / .XLSX malware analysis — malicious · 789fdf26bc9167e3

MALICIOUS

Office (OOXML) / .XLSX

11.2 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-05-13

MD5: 0f33a0b36bef85c2ae6d977f89d70262 SHA-1: cabbd8d1ee1172289c17ee6488d3aef9012a64f6 SHA-256: 789fdf26bc9167e3300f56cfe07c2eb6247f3339152a6e1f6edfe4707bd62564

180 Risk Score

Malware Insights

Ole2.Exploit.ZxxZDownloader · confidence 95%

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office Open XML (OOXML) file containing an embedded OLE object, specifically identified as an Equation Editor exploit. ClamAV detections confirm this, naming the family as 'Ole2.Exploit.ZxxZDownloader'. This indicates the file is designed to exploit a vulnerability in the Equation Editor to achieve initial execution, likely delivered as a spearphishing attachment.

Heuristics 4

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
ClamAV: Ole2.Exploit.ZxxZDownloader-9944376-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Ole2.Exploit.ZxxZDownloader-9944376-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `d17013b947fbac4a2aaeb80255d5f8314f4822b4c0874a2fb165dc2a1606d25f`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	6656 bytes
Detection ClamAV: Ole2.Exploit.ZxxZDownloader-9944376-0 Obfuscation or payload: unlikely
`ooxml_oleobject_01.bin` `86c4976b799d2b4d297793286e33c60be37d602a756b2953429f03368057d839`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	6656 bytes
Detection ClamAV: Ole2.Exploit.ZxxZDownloader-9944376-0 Obfuscation or payload: unlikely
`emf_00.emf` `c2f962ded401fe1d00a71a8c4363129f7ffd4f184d997c6daa36d66560ddedf9`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	3614 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.