Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a42dc8cc3c030615…

MALICIOUS

Office (OOXML) / .XLSX

597.9 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 7f5d1a53d72bf953c64961fef01341f6 SHA-1: 12dc0cbb70cab624ad523e36a8418c24a8ed3524 SHA-256: a42dc8cc3c0306159ae3e80c5d3b08edc3a7bee82c135fce32f3cdfe484a2b9e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the OOXML file. This technique is commonly used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The file's structure and the specific OLE object identified strongly suggest it's a delivery mechanism for a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ODMoh.IE2v contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f62b20fba71d36993dd8d1f426d9af1c9ec94f2ebff36eacee03f345015f77c0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ODMoh.IE2v 891904 bytes
ooxml_oleobject_00_ole10native_00.bin
bcf84fc794cf73ee9638ae8ac28f5baa50af2f09d83469f35defa587b1a01ed4		 ole-package OOXML xl/embeddings/ODMoh.IE2v Ole10Native stream: ole10NaTIVe 882295 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.