Office (OOXML) / .XLSX malware analysis — malicious · a647e8fd79ba5b48

MALICIOUS

Office (OOXML) / .XLSX

635.2 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000

MD5: 4d3e4adb365a434ea2316a7c6f6934ba SHA-1: 4f6148e95303f25437dc5c7bf95b75e6bbdadf71 SHA-256: a647e8fd79ba5b48dc516e2c65cd0d9c0a83163ccffa60977d1b60400ea8b1cf

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded object's filename, 'qhetl.gwQRQ3', is also flagged as a potential indicator. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure or payload.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/qhetl.gwQRQ3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `40d9217c23acab458c4cbe4709ac4bcc7a0bd69b405be979f0419d2da9f9f715`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/qhetl.gwQRQ3	885760 bytes
`ooxml_oleobject_00_ole10native_00.bin` `92e72cd2a6a7def1ba852cff9602e349a6a0304c95e860ddbc11177d53ff9aa1`	ole-package	OOXML xl/embeddings/qhetl.gwQRQ3 Ole10Native stream: Ole10NAtiVe	876260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.