Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a28b52d6d9e6a329…

MALICIOUS

Office (OOXML) / .XLSX

700.6 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: 8cd71bfa34a4237c40203bd546019582 SHA-1: 8776987f67def321d13a7db35cdc569bedc26f7a SHA-256: a28b52d6d9e6a3291db8e37d08c1c9874223af5c0122b816814301cc4dc2f049
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an embedded Equation Editor OLE object within the XLSX file. This is a common technique used to exploit vulnerabilities or deliver secondary payloads, often leading to arbitrary code execution. While no specific scripts or URLs were extracted, the presence of this object strongly suggests a malicious intent to leverage this embedded component.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/GO6f41OVc.IPGa contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4e2b0de9487511ed05d1ab2f0c0402ae21599b94692228002d0d85bf177fa7e4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/GO6f41OVc.IPGa 970752 bytes
ooxml_oleobject_00_ole10native_00.bin
99cef56394c09ffb34f1cc0ca43ba190c7566eba59a68425f428491090f27364		 ole-package OOXML xl/embeddings/GO6f41OVc.IPGa Ole10Native stream: Ole10Native 961011 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.