Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a56a07917d3a2444…

MALICIOUS

Office (OOXML) / .XLSX

661.3 KB
MD5: 58a017e61acceb06208d68a41f17658a SHA-1: 973155e685dada8da86658e5739612e7d73f89b3 SHA-256: a56a07917d3a2444fc0e87cab7fb6f85829d533d0cf12e61856dd076592b993d
110 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The XLSX file contains an embedded Equation Editor OLE object that exhibits anomalous characteristics, strongly suggesting it carries a malicious payload. The anomaly involves an impossible Ole10Native header size compared to the stream size, indicating a potential exploit. This technique is commonly used to deliver second-stage malware. No scripts were extracted, and the document body was not available for analysis.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Lz4OfLHG.aJ9TG3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • External hyperlinks (710) low OOXML_EXTERNAL_HYPERLINKS
    Document contains 710 external hyperlinks — clickable URLs are stored as external relationships. First target: https://www.reddit.com/r/dogecoin
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.iconomi.net/
    • https://www.coinist.io/press-releases/
    • https://blockstack.org/
    • https://icopressrelease.com/
    • http://www.icoduniya.com/
    • http://btcwarriors.com/
    • https://www.tezos.com/
    • https://bitcoinblackhat.com/
    • https://crypto20.com
    • https://coinforum.ca
    • https://tokenbox.io/
    • http://altcoinalerts.com/press-releases-ico/
    • https://grayscale.co/
    • http://icocrowd.com/send-a-press-release/
    • https://www.taas.fund/
    • http://worldcoinindex.com/
    • https://www.bitcoin-millionaire.com/forums/
    • https://thetoken.io/
    • https://icotimeline.com/tag/press-release/
    • http://tokenmarket.net/
    • https://bitco.in/forum/
    • https://blackmooncrypto.com/
    • https://coindelite.com/ico-press-release/
    • https://bitcoinforum.com
    • https://www.astronaut.capital/
    • http://icocalendar.today/
    • http://blockchain.capital/
    • https://icopanic.com/submit-press-release/
    • http://coinschedule.com/
    • https://thebitcoinstrip.com/free-bitcoins/
    • https://satoshi.fund/
    • https://blokt.com/submit-a-press-release
    • http://52ico.com/
    • https://bitcoingarden.org/forum/
    • https://www.panteracapital.com/
    • https://bitcoinexchangeguide.com/ico-press-release-marketing/
    • http://icoalert.com/
    • https://multicoin.capital/
    • https://londonletter.org/submit-ico-press-release/
    • http://coinhills.com/
    • https://forumbitcoin.co.id
    • http://polychain.capital/
    • http://cryptocoincharts.info/
    • https://triaconta.com/
    • https://cryptofame.io/ico-press-release/
    • http://allcoin.com/
    • https://melonport.com/
    • http://bluemagic.info/
    • https://bitcoinchaser.com/press-release
    • http://icorating.com/
    +519 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ce7969b2fcad182d33a4c5cf1b62d8265a601447f222305835cc844b1a5ba7b5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Lz4OfLHG.aJ9TG3 965120 bytes
ooxml_oleobject_00_ole10native_00.bin
63f9d955d94f5700037323682f39f703a9f73a017c8b618c8779e329c4c21d0a		 ole-package OOXML xl/embeddings/Lz4OfLHG.aJ9TG3 Ole10Native stream: olE10nAtIve 955275 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.