Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 abf588713dd9d20b…

MALICIOUS

Office (OOXML) / .XLSX

716.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: a8fb3fde4b9f53355ca1a139663b1c9b SHA-1: dd33cbd7320160fe89dac68b84369e649583c32d SHA-256: abf588713dd9d20b772437cf8cb8329447a804813744fe3c20b8585ad61e4837
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploits that allow for arbitrary code execution. The presence of this object strongly suggests an attempt to leverage a known vulnerability, likely to download and execute a secondary payload. No scripts were extracted, and the document body contains what appears to be invoice and product information, which is likely a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Zc7.iop4y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a30d00b4a7f5e9a6cec3c4b718b619ea903513b344e60157feed22f560076748		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Zc7.iop4y 967168 bytes
ooxml_oleobject_00_ole10native_00.bin
a6718381d9110dd7a07f7e399a9ba848cac06b0390de6827ad056a5a964b8b86		 ole-package OOXML xl/embeddings/Zc7.iop4y Ole10Native stream: ole10NATive 957412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.