Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7efc8926572801f2…

MALICIOUS

Office (OOXML) / .XLSX

720.3 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-01
MD5: d1f09ebacc4975c1c063a937aff5cb9f SHA-1: 65bb2528b029605f8bdb4cf2bb7dfb4b21fff560 SHA-256: 7efc8926572801f21a109e743d788ee801aaaf4f206cae0b0c028761b9673a59
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The file is an Excel document containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. This object carries a payload-like stream with an anomalous header, indicating it's designed to exploit the Equation Editor vulnerability. The embedded OLE object is the primary indicator of malicious intent, likely leading to the execution of a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/IWjAd.J5FQJ7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d0f478ad34e29150a5f4f34dc70ad667060d00f6260d843d8a776476fa0ff705		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/IWjAd.J5FQJ7 1048576 bytes
ooxml_oleobject_00_ole10native_00.bin
090ec6e40bd42ab6e6b9b58ebb33f972a77d34af6d09cbe16d8e4e3e526d5c24		 ole-package OOXML xl/embeddings/IWjAd.J5FQJ7 Ole10Native stream: OLe10NatiVe 1038257 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.