Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a06366b0fa7d5744…

MALICIOUS

Office (OOXML) / .XLSX

639.0 KB Created: 2023-10-11 01:33:50 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-10-11
MD5: 4ea2fc328591f18e46749e401cf007f8 SHA-1: 9d2bfb5eb1041fa098f80297aecec848984004a6 SHA-256: a06366b0fa7d5744a507ef1afdafa02d81a4315bdba697993b7ee4fce76f1d7e
108 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The XLSX file contains an embedded OLE object, identified as an Equation Editor, which is a known technique for delivering malicious payloads. The OLE object's Ole10Native stream has an anomalous header and a significantly larger declared size than its actual stream size, indicating it likely contains a packed or obfuscated second-stage payload. The presence of an external hyperlink to 'http://sr.no/' further suggests a potential command and control or download source.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/bq.FmINRqb contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (1) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 1 external hyperlink — clickable URLs are stored as external relationships. First target: http://sr.no/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
06899079ecad6aa09c91b2a2bb1455c90bd974457800a4a3e71d02b9ec4c0059		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/bq.FmINRqb 882176 bytes
ooxml_oleobject_00_ole10native_00.bin
cbe68923f1a5a0133a07da396adc740836d39f71bbd47f7d1242f3ec1c8f7a7c		 ole-package OOXML xl/embeddings/bq.FmINRqb Ole10Native stream: olE10nATIvE 872718 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.