Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8700acf7f7771cfc…

MALICIOUS

Office (OOXML) / .XLSX

639.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 9e6cd3ab7762a50813fb25b114e2b162 SHA-1: df4651b08187b62b0a6c43d60e73d3e6374af545 SHA-256: 8700acf7f7771cfc2e0f8b56f76286e12e2a40016db0d41a3bce914b05f464a9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded OLE object itself is the primary indicator of compromise. No scripts were extracted, and the document body contains what appears to be invoice and product information, which is likely a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9zL.Q6LhbM contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
027fb6970717efba29e3144dbe2952a10b116df00fdfe1257be99c229e51b389		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9zL.Q6LhbM 915456 bytes
ooxml_oleobject_00_ole10native_00.bin
0cdeefd1dbcf884e40f9be7e096d998b2e22e54aba3dd7237f84dae746676fa3		 ole-package OOXML xl/embeddings/9zL.Q6LhbM Ole10Native stream: oLe10nAtIVe 906170 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.