Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7fce1a191ece0edf…

MALICIOUS

Office (OOXML) / .XLSX

692.9 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-02-09
MD5: 39f81bccec8d7503c13e8926e27f1928 SHA-1: d46dcc628454ba3314c50337c765bdd9cde56fde SHA-256: 7fce1a191ece0edf0982a5bfae6d6d2751c30b5d49f31d5fc39b719c25c0ce05
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's designed to exploit a vulnerability. The embedded OLE object is the primary indicator of malicious intent, likely leading to the execution of a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/agD2UnZ.ET contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cf906059e9277ef1dd6f3c3568046cecda7759ae1a691d263cf4c72f808d589f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/agD2UnZ.ET 997888 bytes
ooxml_oleobject_00_ole10native_00.bin
18473bd35a03428d5335dca8e9290da1224cc8edf97e8fc0988d5aac1052fca6		 ole-package OOXML xl/embeddings/agD2UnZ.ET Ole10Native stream: ole10nATiVe 987490 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.