Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9bd66b6fa9050edf…

MALICIOUS

Office (OOXML) / .XLSX

2.12 MB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 15.0300
MD5: 55a94ebc4a3702f57aacb4633d36424e SHA-1: eb1cc363bbe0e61efcbb9fdb31d58b3cb714189e SHA-256: 9bd66b6fa9050edf01d12180e4569c464f47e3235d5a912c9d2e91b6461e8f23
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This is a high-severity finding and a common technique for delivering exploits. The presence of this object suggests the file is designed to leverage vulnerabilities within the Equation Editor to execute a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lFQ9c1J.mReXh contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3c02ac8afef6a0d2a2c13d9125041b73e15be3947936dafa7a67e3675918b37b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lFQ9c1J.mReXh 2971136 bytes
ooxml_oleobject_00_ole10native_00.bin
80adcde15a734cb42234b3b7cd5bd1cbb32b99f33730696c47d5fe433b17c1de		 ole-package OOXML xl/embeddings/lFQ9c1J.mReXh Ole10Native stream: Ole10Native 2945250 bytes
emf_00.emf
38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58		 ooxml-emf OOXML EMF part: xl/media/image1.emf 169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.