Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9827d6a8c50f7557…

MALICIOUS

Office (OOXML) / .XLSX

615.7 KB Created: 2023-07-26 19:45:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-08-30
MD5: 075a717494e75da126d38c80929b6bff SHA-1: 522363744c2aa4e34a155c37d3181d97cf82ba42 SHA-256: 9827d6a8c50f7557114435e88b83cfb371f0e2a104dcf1cfb26e228e386a6dd7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This object has an anomalous Ole10Native stream, indicating it likely contains a malicious payload. The presence of this object is a strong indicator of an exploit attempt, likely leveraging vulnerabilities within the Equation Editor component.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/5BM.k6D contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
79e4d8051f56d04c8946509c573b1e36adcfbc2ddeafeaf6b73ee7c7b0c1ba75		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/5BM.k6D 892928 bytes
ooxml_oleobject_00_ole10native_00.bin
10e9d1cdbad57b461361506f3d05aa55f0f6f6afb4ad4dfb108f2b38bd475f9e		 ole-package OOXML xl/embeddings/5BM.k6D Ole10Native stream: Ole10nATiVe 883670 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.