Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 938d1b0a5ac7ece3…

MALICIOUS

Office (OOXML) / .XLSX

671.5 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2e0db534d6635faac395d4cd17246bc6 SHA-1: d5c7b7f9f8e437f9ad43cc125c9db97d388e298b SHA-256: 938d1b0a5ac7ece316f0f0ed5cd8617e0d355248263434a9f48dac95f6c1b14f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a high-confidence indicator of malicious intent, as Equation Editor is frequently exploited to deliver malware. No scripts were extracted, and the document body content appears to be legitimate financial data, suggesting the exploit is contained within the OLE object itself.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3GnvqtEvF.OjEs contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5d4711499a74386ef85209566aab8581d40301626998081306a9301fcefa08e2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3GnvqtEvF.OjEs 957952 bytes
ooxml_oleobject_00_ole10native_00.bin
e695db300bf7afb57ec05931a6d04a22b9c3b9d53eadd9f95d74351e46896032		 ole-package OOXML xl/embeddings/3GnvqtEvF.OjEs Ole10Native stream: ole10NaTIve 947806 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.