Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 9056cc6135c228f2…

MALICIOUS

Office (OLE) / .XLSX

32.5 KB
MD5: fb011f424e35d3bbe2ebb55295f6ddca SHA-1: f68ddc67dbe28c468f350c507fea2dca51414901 SHA-256: 9056cc6135c228f25d0222ac50d8474f8da6b2cf4c456f9ad0697b5fc945ce0b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The OOXML file is encrypted with a default password and contains an OLE object, indicating it is likely an exploit carrier. The presence of an embedded OLE object suggests an attempt to deliver a secondary payload. Without further analysis of the OLE object, the specific attack vector and family remain unclear.

Heuristics 2

  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.