Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a1a4c8ab49ddaca6…

MALICIOUS

Office (OOXML) / .XLSX

685.2 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2df63d3d53334d8b2d673b86b14bcb05 SHA-1: e29d3af545031508d999056f2eb90defface9ba8 SHA-256: a1a4c8ab49ddaca690f6102289a6c0803216cbd36029b4b12d4646accaaf4087
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the XLSX file. This object is frequently exploited to deliver malicious payloads by leveraging vulnerabilities in the Equation Editor component. No document body or scripts were extracted, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/gMg.AZL contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a8ac1e9afe37a7471840f208a51890d018e5b5bfd8ae49938feb01480992fbcb		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/gMg.AZL 1008128 bytes
ooxml_oleobject_00_ole10native_00.bin
79c2b9b702a63e264142a7833b5a0fa4fd20a53e77b663544a4a7838f71fcf27		 ole-package OOXML xl/embeddings/gMg.AZL Ole10Native stream: OLE10naTiVe 997874 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.