Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9aae2df453d839d3…

MALICIOUS

Office (OOXML) / .XLSX

2.05 MB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0bca326d9309c0aecda58af07be724dc SHA-1: d1fbe359ee785ea4fbd2ec7d16ce5b560056a30a SHA-256: 9aae2df453d839d3dace1a60816baf5d83ea1cdbc26544431bc785f7ad9b7921
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to deliver exploits, often targeting vulnerabilities within the Equation Editor itself. The presence of an embedded OLE object further supports this attack vector.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9RWQQmMb8.LlR contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
88193cf8317c79a27c8e5bbbb15ed9d313dd2a2f2dd48c25a5d40c15e0437cd6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9RWQQmMb8.LlR 2875904 bytes
ooxml_oleobject_00_ole10native_00.bin
ab9b292f20e66315f526971f7c0fb6b477d4275234476391c87f5ca582fea99f		 ole-package OOXML xl/embeddings/9RWQQmMb8.LlR Ole10Native stream: OLE10nATIvE 2850877 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.