Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ae80fbd1adac6886…

MALICIOUS

Office (OOXML) / .XLSX

1.61 MB Created: 2021-09-22 12:07:42 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-06-21
MD5: d4f0a1d637a96599b3b80feaba83b6bd SHA-1: 5024dd4d58ebfcbefc1dbc45dfdf683491a0a3fa SHA-256: ae80fbd1adac688684db087745df83d0991f7fe004ba232c9ee37df8736f260a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the XLSX file. This is a common technique used to exploit vulnerabilities in the Equation Editor component, often leading to the execution of arbitrary code. While no specific payload or script was directly extracted, the nature of the embedded object strongly suggests an exploit delivery mechanism.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Ar6.cgJA contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7092b91be83ccc07c222deb80a0898a35e53a66f3f378c64743e98e5259fabc3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Ar6.cgJA 1922560 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.