Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9cbf06742c26cd16…

MALICIOUS

Office (OOXML) / .XLSX

694.2 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 1896daa584f1ad783e1cc53535ed7ef7 SHA-1: 04e57ee025d1a828eacc091b73dab8fb76b297f8 SHA-256: 9cbf06742c26cd16a0e982850fe3d826f4cf5ce588ad99328a2c6e480eef7cdc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to deliver exploits, often targeting vulnerabilities in the Equation Editor component itself. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/SFp.xq contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4f8a57b76c2779e754ce0af40c7bc36c0eada537359f2ef3ea5004efd33d3a73		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/SFp.xq 949760 bytes
ooxml_oleobject_00_ole10native_00.bin
033cacb057f17d82163738fb10eb680a4abb4f24a192485358080e2eb232422e		 ole-package OOXML xl/embeddings/SFp.xq Ole10Native stream: OlE10NatIVE 939944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.