Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ad4e7c52c03e9f28…

MALICIOUS

Office (OOXML) / .XLSX

700.2 KB Created: 2023-06-15 16:05:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-06-19
MD5: 4e586f0181c113f7e5ee906b8dbf1d24 SHA-1: d672a54a411cc5677d4a7c3fcc3a61d284363324 SHA-256: ad4e7c52c03e9f28ec7f215d7f9982df69e070e675d5737cbd8ea412ba3f9eaa
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared inner size than the actual stream size. This strongly suggests the exploitation of a vulnerability within the Equation Editor component to execute arbitrary code. No scripts were extracted, and the document body appears to be unrelated logistical data, making the Equation Editor exploit the primary vector for malicious activity.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/js0lGzmN.UBeo4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1fa9204373664a02d3c063f930a8dc3359efa3853f75626b968b458105ec740e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/js0lGzmN.UBeo4 1026048 bytes
ooxml_oleobject_00_ole10native_00.bin
b4f2fad99a410b110809725194581f3451ed76b3150ad7a6935b1d5a90b068c2		 ole-package OOXML xl/embeddings/js0lGzmN.UBeo4 Ole10Native stream: ole10NATIVe 1015469 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.