Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a8def1d54aba3304…

MALICIOUS

Office (OOXML) / .XLSX

1.08 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: a550d826a7f33ff52029c69fe46b5946 SHA-1: 6d7fb5ffed2e13f99503920ba33d9c1c8fea24ce SHA-256: a8def1d54aba3304c4a93d2f23001104bfb014d0295fa7d0c84457cb0ddde000
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The sample is an Excel file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream, suggesting it's designed to exploit a vulnerability, likely CVE-2017-11882, to execute arbitrary code. The presence of hidden sheets further supports the concealment of malicious content. No specific family could be identified, but the attack pattern is consistent with exploit delivery via a malicious document.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
43c26557191aebb176a7da2d8d4acc479aa7abf058b5813e5a1a72037a08edec		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 1037824 bytes
ooxml_oleobject_00_ole10native_00.bin
e8407bcaf7a2c8f4c589076537167e0412baf8c775b1720ceb5d736218c2b839		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OlE10nAtIVe 1027358 bytes
ooxml_oleobject_01.bin
2341c8570cba4b1e3d9ea1d074f1933598460cf59556dc731f7332f34262c991		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1535488 bytes
ooxml_oleobject_01_ole10native_00.bin
f7bfcd2cfafe65360c900b06396fb593106749574e01161bc1df7461e65c0804		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1520900 bytes
emf_00.emf
072a6a893b25f4848345ae02773b4dd141c43ec598f34f1da6844dabe6ca8a42		 ooxml-emf OOXML EMF part: xl/media/image2.emf 3042216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.