Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 835d8b1a86451304…

MALICIOUS

Office (OOXML) / .XLSX

682.9 KB
MD5: 23fec76e80ed8adcc01f678b99e95d8b SHA-1: eb1cb64d9a736f6ab5d93df605118168811f3f1e SHA-256: 835d8b1a86451304dde60a74ad12086ebda5b1fb39224e5f2fec637d8ddb6313
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be a vector for exploiting vulnerabilities. The OLE10Native stream within this object shows an anomaly with a declared size far exceeding the actual stream size, indicating a potential payload. This suggests the document is designed to exploit a client-side vulnerability to execute arbitrary code, likely a downloader for further malicious activity. The presence of external hyperlinks, including one to Reddit, further supports the context of a potentially malicious document.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/mF5.zDi contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (710) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 710 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.reddit.com/r/dogecoin
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.iconomi.net/
    • https://www.coinist.io/press-releases/
    • https://blockstack.org/
    • https://icopressrelease.com/
    • http://www.icoduniya.com/
    • http://btcwarriors.com/
    • https://www.tezos.com/
    • https://bitcoinblackhat.com/
    • https://crypto20.com
    • https://coinforum.ca
    • https://tokenbox.io/
    • http://altcoinalerts.com/press-releases-ico/
    • https://grayscale.co/
    • http://icocrowd.com/send-a-press-release/
    • https://www.taas.fund/
    • http://worldcoinindex.com/
    • https://www.bitcoin-millionaire.com/forums/
    • https://thetoken.io/
    • https://icotimeline.com/tag/press-release/
    • http://tokenmarket.net/
    • https://bitco.in/forum/
    • https://blackmooncrypto.com/
    • https://coindelite.com/ico-press-release/
    • https://bitcoinforum.com
    • https://www.astronaut.capital/
    • http://icocalendar.today/
    • http://blockchain.capital/
    • https://icopanic.com/submit-press-release/
    • http://coinschedule.com/
    • https://thebitcoinstrip.com/free-bitcoins/
    • https://satoshi.fund/
    • https://blokt.com/submit-a-press-release
    • http://52ico.com/
    • https://bitcoingarden.org/forum/
    • https://www.panteracapital.com/
    • https://bitcoinexchangeguide.com/ico-press-release-marketing/
    • http://icoalert.com/
    • https://multicoin.capital/
    • https://londonletter.org/submit-ico-press-release/
    • http://coinhills.com/
    • https://forumbitcoin.co.id
    • http://polychain.capital/
    • http://cryptocoincharts.info/
    • https://triaconta.com/
    • https://cryptofame.io/ico-press-release/
    • http://allcoin.com/
    • https://melonport.com/
    • http://bluemagic.info/
    • https://bitcoinchaser.com/press-release
    • http://icorating.com/
    +519 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7359635a27bf5f8bebd479df615b0741afaf318b401e3df5e6df0f19ec74869a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/mF5.zDi 941568 bytes
ooxml_oleobject_00_ole10native_00.bin
adaf27af59f167fd817a1ce6754c92c16667b927e15f5343f0ea4b6965c437e1		 ole-package OOXML xl/embeddings/mF5.zDi Ole10Native stream: OLE10natIvE 931389 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.