Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7f57ce9a8b3a0547…

MALICIOUS

Office (OOXML) / .XLSX

737.6 KB Created: 2023-07-26 19:45:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-08-16
MD5: 19dac361e95ddc4e12aa1e3b20c7c23b SHA-1: 8afd489ed6b8f63b599f99aff959cc160cc85da6 SHA-256: 7f57ce9a8b3a0547c2f1e741a6f098d61e9e49c698ec656bee45d36d3a5ed680
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous size and header, strongly suggesting it's a dropper for a secondary exploit or payload. The embedded OLE object is the primary indicator of malicious intent.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ar.tbr contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
14689b720034d5c59e0e6b3bb3e75d9a4e5370cd15aac2ec6304630289d31dd3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ar.tbr 1037824 bytes
ooxml_oleobject_00_ole10native_00.bin
166c15f8304766ab246aa4045f144ba800320180bca2051459f64c40d4ce9f6a		 ole-package OOXML xl/embeddings/ar.tbr Ole10Native stream: oLE10NaTive 1027159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.