Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8ed233c5e065706c…

MALICIOUS

Office (OOXML) / .XLSX

625.8 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2024-08-16
MD5: 0e750a01bc456401fb149490b94fa99e SHA-1: 962222e17505d1decc15b66c7a4f894380f34c75 SHA-256: 8ed233c5e065706c19a7490c2d7076a55f9c580120ea5a5be55922c6fca85c7e
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's designed to execute malicious code. This points to an exploitation attempt targeting the Equation Editor component to achieve arbitrary code execution.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/jnH.LvEm contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
aca1b596838b7f68adb33d63d2523d1a16451a9a454b03ecfe1e24be9dc5b389		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/jnH.LvEm 870912 bytes
ooxml_oleobject_00_ole10native_00.bin
69d1b73446f9d19d2817674eae3f5fe13cee8d909c192ca58af064a22b488dbd		 ole-package OOXML xl/embeddings/jnH.LvEm Ole10Native stream: oLE10Native 861296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.