Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9117e66824da8fc6…

MALICIOUS

Office (OOXML) / .XLSX

664.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 3b5e9becf5ccb9dc9d3b028c2a0a9b1c SHA-1: 87f8f86a899631b6afb1b819fa70f37384d8a88b SHA-256: 9117e66824da8fc61c93cfe8058da8d8e4ec1d2dbb9ff25c1490771d0bd2826e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in Microsoft Office applications to execute arbitrary code. No specific scripts or further payloads were extracted, but the presence of the Equation Editor object strongly suggests a malicious intent to exploit a vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/YOC.pWCpAs contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3222b3759aa9a3f1f964df25a240858e32be313d64ed6666fd6ef85d250ce3f7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/YOC.pWCpAs 901632 bytes
ooxml_oleobject_00_ole10native_00.bin
316a02198e736017c251ac8ac630e7be5a85bc87f436816546dac6f36b9374cf		 ole-package OOXML xl/embeddings/YOC.pWCpAs Ole10Native stream: oLe10NaTiVe 892189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.