Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8059617f975fc5b8…

MALICIOUS

Office (OOXML) / .XLSX

632.1 KB Created: 2021-05-06 12:58:54 UTC Authoring application: Microsoft Excel 14.0300
MD5: 5a490987b71b5bb74fcc8bdb0edd7d17 SHA-1: 0c429a64850355c6c736c317afaa9766df737802 SHA-256: 8059617f975fc5b874900bcd794795c1442ad4dd9b00bc21d9c54607fc3291ce
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be a vector for exploiting vulnerabilities. The 'OLE_EQUATION_EDITOR' and 'OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY' heuristics indicate that this object carries a payload. The document body, formatted as a payslip, is likely a lure to encourage the user to open the malicious embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/iajQcD.CFhktG contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4f5b16146de3495873379762b121346afdb3ab4ca53d967a04a9b05cc2faebe2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/iajQcD.CFhktG 925184 bytes
ooxml_oleobject_00_ole10native_00.bin
e0ddd6fad2bc21458c3919725a9969fa4d37d071665f16274b793291e732f768		 ole-package OOXML xl/embeddings/iajQcD.CFhktG Ole10Native stream: olE10nATIvE 915103 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.