Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 94f7176d477a4d33…

MALICIOUS

Office (OOXML) / .XLSX

655.1 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-01
MD5: ac31a8be80a6276c5be84c4ebc48bd50 SHA-1: e2aae640d36a0c829055c0a79990f91400efa351 SHA-256: 94f7176d477a4d33a4a2b5a842ac2035776df88ff2d73175e95422cc3c6d2f29
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's being used to deliver malicious content. The presence of this object and the anomalous stream strongly indicates an exploit targeting the Equation Editor vulnerability to execute a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/XVeQ584S.LOz contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e2639bf45451d2f3cfb2532a70d912524c41ef3e3131f3cacf693960c5bc14d3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/XVeQ584S.LOz 890368 bytes
ooxml_oleobject_00_ole10native_00.bin
0b5047a96ba0bfb3cd6dca454e8964fb891229ff2f31ccc0be416bb8bf826a60		 ole-package OOXML xl/embeddings/XVeQ584S.LOz Ole10Native stream: oLE10nATIVE 880997 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.