Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9d4ddedec961bd51…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2024-05-28
MD5: 32b5d9891a7ea3bd8f2f3a4adfe61b1f SHA-1: d64379a5e6daa49a5251c8de97490ef6497133e6 SHA-256: 9d4ddedec961bd51fd9405f8a4e2eb15ff141f71c5b1761b0a69c4f1f749a855
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1187 Embedded OLE

The sample is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. The document body presents financial data, likely a lure to encourage the user to interact with the embedded object. The presence of the Equation Editor OLE object is a strong indicator of exploitation attempts, often associated with delivering malicious payloads.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/clI41w.uEZaZ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
58fbf69da43eb7a5e60aa39fd734b4ff0f5a7ec41e5dea4f2514e080b5a2a310		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/clI41w.uEZaZ 3078656 bytes
ooxml_oleobject_00_ole10native_00.bin
5586e7e855b3df40d52f87f420c3aa0965f78863eca248b2dd45ab9010802d55		 ole-package OOXML xl/embeddings/clI41w.uEZaZ Ole10Native stream: olE10natiVE 3052532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.