Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 a27409aaa6dda828…

MALICIOUS

Office (OLE) / .XLSX

1.59 MB
MD5: 7db469cc5823860442187d786f95c113 SHA-1: 8083f4db44a7b1b56291c9b8848f8e2cf06cbf44 SHA-256: a27409aaa6dda828d7c3ed52a82aadccf3067763c06b6835e1b1d952b59f5d6c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1559.001 Component Object Model Hijacking

The presence of an Equation Editor OLE object is a strong indicator of exploitation, often used to deliver malicious payloads. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may be instructing the user to open a password-protected archive, which is a common social engineering tactic to bypass gateway security. No scripts were extracted from this sample.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
f3b9b7afcaead08ff8406b844fe3e3c5092c37f1d37f41bfec1523d62e6c19e0		 ole-package OLE Ole10Native stream: OlE10nAtiVE 1652443 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.