Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 86edacad6129e32c…

MALICIOUS

Office (OOXML) / .XLSX

714.8 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-13
MD5: 96213a13c5ea46a1df51d8eb1d467593 SHA-1: f25afb88499477bbd0144cb9e35ff24c9d658edd SHA-256: 86edacad6129e32c5a6646635dc66ac29d35515cc6b0ea6c9e1cd564b02009a4
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object, specifically identified as a vulnerable Equation Editor object. This object carries a payload-like Ole10Native stream, indicating it's designed to exploit the Equation Editor vulnerability to execute malicious code. The large size and high entropy of the Ole10Native stream further suggest it contains executable content.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Rj.dqoFI contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dd3534926e27b1c88e2b4598055175999a9bbaf03e624ba6efe15313883c16ec		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Rj.dqoFI 995328 bytes
ooxml_oleobject_00_ole10native_00.bin
8e06978b283609fc881d32043366e6919b2def44e8870725ca486974c1add975		 ole-package OOXML xl/embeddings/Rj.dqoFI Ole10Native stream: ole10NaTIVE 984700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.