Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9e6ea53808023683…

MALICIOUS

Office (OOXML) / .XLSX

659.4 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2024-06-07
MD5: dd29920a1b687bafc86b4f310c1c3838 SHA-1: 58165badbcedb9d74e3b38e6a43624717a4bf70f SHA-256: 9e6ea538080236831f6f2a7dd910d816126b056bcd14e53040913c732e69f8ef
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559 Component Object Model Hijacking

The file is an Excel document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared inner size than the stream size. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. No scripts were extracted, and the document body contains what appears to be product information and shipping details, which are likely decoys.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/SSjlzX.CdB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a1b7ee4a1ea6c8ac4758b2bd53f0f15c731015bb39c9803bae7c63334726adf2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/SSjlzX.CdB 874496 bytes
ooxml_oleobject_00_ole10native_00.bin
dc6eba718ca8a169f9ead700d53e68654b54637c1108cbc9c3a6350a369fb444		 ole-package OOXML xl/embeddings/SSjlzX.CdB Ole10Native stream: OLe10nAtiVE 865180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.