Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a2e94cb25566b2f8…

MALICIOUS

Office (OOXML) / .XLSX

606.5 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: a866e44919d15b19cb0bf0686c422fb9 SHA-1: 0525eef57577d546c234f603b4da4486259b3fa7 SHA-256: a2e94cb25566b2f893c2c5be8f52ef5188f685d85d55e2f87ac4317d081a280d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for the execution of arbitrary code. The embedded OLE object is the primary indicator of malicious intent, suggesting it's used to deliver a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/VyjcSc.ndEW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d249afd6cdc822f2f140d0b820b624269e8dcedc7aa43c76f221759a05b28936		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/VyjcSc.ndEW 867840 bytes
ooxml_oleobject_00_ole10native_00.bin
8d417cfb446ecacbe7b1d49595481a299bde25adf468e23f00d72531699eb05f		 ole-package OOXML xl/embeddings/VyjcSc.ndEW Ole10Native stream: OlE10natiVe 858114 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.