Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 81d56b3c7ac76cb1…

MALICIOUS

Office (OOXML) / .XLSX

793.1 KB Created: 2024-09-30 12:55:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: 2a58821e3a588505217167f1ca6e5d81 SHA-1: 8b0084213b557645e873aea87bf64234301979ca SHA-256: 81d56b3c7ac76cb16c15d4efe7a4d3658d80b17675b72b9300a237b333281bfd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to deliver malicious payloads. The document body, while appearing to be financial data, is likely a lure to encourage the user to interact with the embedded object. The presence of the Equation Editor OLE object is a strong indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/4D.y03 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8dee16a4e7c4c85480f9101ac44622c3d3b573812b74f62b562bb1978a9e4e6b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/4D.y03 994304 bytes
ooxml_oleobject_00_ole10native_00.bin
7c9ebc8c7b66c934d41f9d4fbf650339aecc8d153a63799fb69130f5e5330eb7		 ole-package OOXML xl/embeddings/4D.y03 Ole10Native stream: Ole10NAtiVe 983918 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.