Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ad92fb41b5650972…

MALICIOUS

Office (OOXML) / .XLSX

753.6 KB Created: 2004-09-16 12:33:58 UTC Authoring application: Microsoft Excel 15.0300
MD5: 0f2d7c68b39735c57f756cfd7721b72b SHA-1: 1a0e627c406620961cb3139456527cf3157af41d SHA-256: ad92fb41b56509723d240def542d1d154b40e74a93b9736d5bad20c61ca26650
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter

The file contains an embedded OLE object utilizing the Equation Editor component, which is known to have been exploited in past attacks (CVE-2017-11882, CVE-2018-0802). The presence of a large, high-entropy Ole10Native stream within the OLE object, combined with the malformed package sizing, strongly suggests an attempt to exploit this vulnerability. The document excerpt confirms this, detailing the Equation Editor CLSID and the potential for arbitrary code execution. The file likely attempts to trigger this exploit when the document is opened.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/D02r.25bUA3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8f4bbec32d35781820a54601b7bd40cd84654b9e3e50290979a5a3b7c0d14905		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/D02r.25bUA3 961024 bytes
ooxml_oleobject_00_ole10native_00.bin
8e0ec56cf1adfa6afec70ce897686fbe0f95c0286e8dc0cffb01823fb0261e5a		 ole-package OOXML xl/embeddings/D02r.25bUA3 Ole10Native stream: ole10naTIvE 951026 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.