Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 94ad3eef0d43e010…

MALICIOUS

Office (OOXML) / .XLSX

702.5 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-08-16
MD5: c8b9a6be650261fb8db798710f1f99cf SHA-1: cb72fd8c1ebaa0fefe8f9d17cf5231d0e90def90 SHA-256: 94ad3eef0d43e0106874b7c7b848789a628bd62a3c4eb2d7afc97212ec8fa4ec
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and size discrepancy, strongly suggesting it's used for malicious purposes. The presence of this object is a common technique for exploiting vulnerabilities or delivering secondary payloads.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/R9gHOyK9.qziS6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3a82bdd714e960223d39c229ee9692f143ab9870bab4a5ae8c9cbc37a8f292a6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/R9gHOyK9.qziS6 1029632 bytes
ooxml_oleobject_00_ole10native_00.bin
21262fe0004821722963b9fbbf35e2f67fbb2f894d8c730379469f568a0023a4		 ole-package OOXML xl/embeddings/R9gHOyK9.qziS6 Ole10Native stream: oLe10NATIVE 1019046 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.