Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7a70a7f2fea8ed97…

MALICIOUS

Office (OOXML) / .XLSX

595.9 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-06-14
MD5: 09d53391b30e3e863b6aac903a12c222 SHA-1: f60eb5c207bdb227680b6e72db72539768c55906 SHA-256: 7a70a7f2fea8ed97c5366b030e22824240fffd352d8fc5f933d207dc1ed08bce
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded object is likely a secondary payload designed to further compromise the system.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/YS6bVVaZd.vU contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
eeb97c16671be07fa1882e361b6142fa37997732a2fa01f4fc02b69cee7b8c83		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/YS6bVVaZd.vU 815616 bytes
ooxml_oleobject_00_ole10native_00.bin
88f3a3bf5aa77e73ebbea37ad54113d015f58c274c263fccfffc0d18ecb02ee8		 ole-package OOXML xl/embeddings/YS6bVVaZd.vU Ole10Native stream: oLE10NATIVe 806634 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.