Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9ec54f0ccaec25ab…

MALICIOUS

Office (OOXML) / .XLSX

630.3 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: f33b4dbc909cdc44a201d9eeaa9b2c53 SHA-1: 89d94d895d90687e8ace8f6c99672bed985007e4 SHA-256: 9ec54f0ccaec25ab198f669e0983c249d388bfbb9825635199bab64cc4044c51
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is frequently used to embed and execute malicious code. While no specific scripts or URLs were extracted, the nature of the embedded object strongly suggests an attempt to exploit vulnerabilities or deliver a secondary payload. The document body content appears to be financial data or formulas, which is likely a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/pZQL7.suqB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4bdc543769faa38ec5a83f6e2af31b9a229ea00a2444d2350c78ffa0c0d985d2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/pZQL7.suqB 879616 bytes
ooxml_oleobject_00_ole10native_00.bin
158b9f025804a9d70e329c800cbfcc0961221efced3c47d326125665771ab858		 ole-package OOXML xl/embeddings/pZQL7.suqB Ole10Native stream: OLe10NaTIVe 870059 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.