Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9a2b573358f1bd7f…

MALICIOUS

Office (OOXML) / .XLSX

742.7 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: eb3620b923941c070b0b22f8bcd201bb SHA-1: bbfe3ba2747c80066074644725c750aa11408b7f SHA-256: 9a2b573358f1bd7f299a96c60add24c93396100dcc3d3bc887df36d720a2c9b8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. While no specific script or URL was extracted, the nature of the embedded object strongly suggests a malicious intent, likely to execute arbitrary code or download further malware.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/FOMRhCnra.AgT contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bc2f5162f12b82e0a51313bb951f4d650eac594c31aeafbb47ac2d9136033677		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/FOMRhCnra.AgT 1076224 bytes
ooxml_oleobject_00_ole10native_00.bin
c0fedd4512f84746f45e5c55e9ee1e5743878ca06dd71ff17d727531575c211b		 ole-package OOXML xl/embeddings/FOMRhCnra.AgT Ole10Native stream: Ole10NAtIve 1065153 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.