Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 87c11e91ae0ec1d3…

MALICIOUS

Office (OOXML) / .XLSX

778.9 KB Created: 2024-09-30 12:55:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: 1ceb0704ce7180d31e51d1b19577f8fd SHA-1: 2b36a1718e467f7c651b0f6988c2c00bb2cf510d SHA-256: 87c11e91ae0ec1d31aba83c2e3f3a70a8bccfc731be2be1fe4aaa91681825acd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities such as CVE-2017-11882. The presence of this embedded object strongly suggests an attempt to deliver a malicious payload or exploit. No scripts were extracted from this sample.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/i8VRcatI.OtK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
55bc321807b540c1fd9a58185b799e0252e9c7fc4c1ce5a8a4b5eca63ce131c1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/i8VRcatI.OtK 1039872 bytes
ooxml_oleobject_00_ole10native_00.bin
fe08a0f542dcf60de8f543bfc588d3f9a4b1566e304fa5f5a8ac3655c0269725		 ole-package OOXML xl/embeddings/i8VRcatI.OtK Ole10Native stream: olE10NATIvE 1029458 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.