Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 ae763b7a0ae822be…

MALICIOUS

Office (OOXML)

643.6 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: 2b4a5ffda191e72a25fcf3224e7ad153 SHA-1: fd0d9d0b115d07842d6ec99d6c8cdff2f93de8c1 SHA-256: ae763b7a0ae822be482409f36b15cbb09c23e54fd2e8fe3e9a51aafa2ae0aa88
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream, suggesting it's being used to exploit a vulnerability for client execution. The document body contains what appears to be a parts list in Afrikaans, which is likely a lure to disguise the malicious nature of the embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ZShhHoX.KnM contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7a1d94414f48022116b2ec53fb5e5c500fe2772f74119b914d0c7b8559a26240		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ZShhHoX.KnM 875008 bytes
ooxml_oleobject_00_ole10native_00.bin
2033413ef50a5f8192268547d98d88aa515f946b6a776d55d6933af07b9d958a		 ole-package OOXML xl/embeddings/ZShhHoX.KnM Ole10Native stream: oLe10naTIVE 865501 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.