Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 aa4d0dca34cf39f2…

MALICIOUS

Office (OOXML) / .XLSX

615.2 KB Created: 2020-03-16 06:38:42 UTC Authoring application: Microsoft Excel 12.0000
MD5: f0647b6c9210c549a452c5e510b25c6e SHA-1: e75bc4aff4c0f52bbb12f6d91b6534db629d44c1 SHA-256: aa4d0dca34cf39f2988149c4470b996a72d7ad9a391a57936e00b31c1f94f33d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Unit Persistence T1566.001 Stage One - Reconnaissance T1071.001 Create or Manage System Accounts

The file contains an embedded OLE object utilizing the Equation Editor component, a known vulnerability (CVE-2017-11882) that allows for arbitrary code execution. The presence of a malformed Ole10Native stream within the OLE object, combined with the Equation Editor CLSID, strongly suggests an attempt to exploit this vulnerability. The high entropy stream and unusual package sizing further indicate a crafted payload. This likely represents a macro-based downloader or a similar technique to deliver a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/KC2oS.174e5v contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
126eedf26b56cfbe463421c882a309055e0e8ba668f99924e89ca66d4c80b97d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/KC2oS.174e5v 885760 bytes
ooxml_oleobject_00_ole10native_00.bin
f0cdabd84ea6087259133f46da380532ace507378f55acfdcbc799e1c3ebd137		 ole-package OOXML xl/embeddings/KC2oS.174e5v Ole10Native stream: Ole10nATive 876269 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.