Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7b8a8ac032bdeb17…

MALICIOUS

Office (OOXML) / .XLSX

701.5 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: d71d0c1a9556642275c4212de2493e77 SHA-1: fcc411f3c34ff5509441de15bf172bd0cda7a403 SHA-256: 7b8a8ac032bdeb177462c0e5ccb50a0d7422ae1a77792df0a6411aeb838590e7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor object. This is a common method for exploiting vulnerabilities or delivering second-stage malware. No specific scripts or document body content were extracted for further analysis, but the presence of the Equation Editor object is a strong indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/7It.Z85V contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a4dd39f002eab19e6b5c0c3a00d2deba50ee96d00e83adbf20a3fb37a1c51ed1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/7It.Z85V 1038848 bytes
ooxml_oleobject_00_ole10native_00.bin
76d53d649bdb1fb2cd348b3fe1bd82f0b5d3bafd733076988821407fb8474295		 ole-package OOXML xl/embeddings/7It.Z85V Ole10Native stream: oLe10NatIVE 1028108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.