Office (OOXML) / .XLSX malware analysis — malicious · 8682bfe0778cdeb7

MALICIOUS

Office (OOXML) / .XLSX

13.4 KB Created: 2020-06-03 08:11:21 UTC Authoring application: Microsoft Excel 12.0000

MD5: a06b7909269a719e3f27e0a250e184fd SHA-1: 29926af07031909a130bdd84d809f9d575856df5 SHA-256: 8682bfe0778cdeb7bcd1e772b741eb917dad24ddb26ab3733a7c4f6f6391a2fa

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. High-severity heuristics indicate a potential exploitation of CVE-2018-0798 due to anomalous Equation Editor native stream properties. This suggests the file is designed to execute arbitrary code through this vulnerability when opened.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `c0f5e1d7f74c1bb5ec496ac59de0d66b2070916d89dd0f39e96f77a1b99f6f30`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	8704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.