Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9adddf2e687bd50e…

MALICIOUS

Office (OOXML) / .XLSX

760.0 KB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-10-16
MD5: ad8ccd793320f09f538a35b8e3927f76 SHA-1: 9d523f4a2e7152b52b97b24616d808846abab2fc SHA-256: 9adddf2e687bd50ea587660eb5cdfe23ba6993da5202608d03b78c68d2ca3b30
160 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office Open XML spreadsheet containing an embedded OLE object identified as an Equation Editor. This object exhibits anomalies in its Ole10Native stream, suggesting it carries a malicious payload. ClamAV detection further confirms its malicious nature as a downloader trojan.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lLyRbO.f8Qgwf contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
035a4ffec26c3f13c8aaca5226479dc5edbdf2a36eaebef42e682807cf1c899d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lLyRbO.f8Qgwf 893440 bytes
ooxml_oleobject_00_ole10native_00.bin
00837ac66327d0147ed7157a68f1f33f2e7eed069158818efbcbb2e48564933c		 ole-package OOXML xl/embeddings/lLyRbO.f8Qgwf Ole10Native stream: olE10NAtIvE 884098 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.