Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 86cb4f209e01280e…

MALICIOUS

Office (OOXML)

674.3 KB Created: 2021-03-22 07:25:48 UTC Authoring application: Microsoft Excel 16.0300
MD5: a0287f52a42bec7b8756fef7fdb37be5 SHA-1: 788f23cba38a6780a1bb0f26f7eedeebfcdff089 SHA-256: 86cb4f209e01280e5e290d87427a19a09d77e28a42c08f805d2443f17db26706
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream, suggesting it's designed to execute malicious code when opened. The document body is formatted as a quote for CCTV equipment, likely a lure to trick the user into interacting with the embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/LWmZ.wFFel9f contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b79bb58885b4f3d11a3690c9b022ecbf4bddbcbc4cc6399385a0526f9ef28b66		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/LWmZ.wFFel9f 957952 bytes
ooxml_oleobject_00_ole10native_00.bin
a16df02f691a9899724279c0bcc40802aff8e4695399b3408044d237e3a62c45		 ole-package OOXML xl/embeddings/LWmZ.wFFel9f Ole10Native stream: Ole10naTive 948077 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.