Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 aee0682310c144af…

MALICIOUS

Office (OOXML) / .XLSX

657.3 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 5ce0857048fbe875f974aa7ef82df50d SHA-1: cc76d5613ce01649c89e944679df0008d8904c72 SHA-256: aee0682310c144af4f3c056db4c1fc6810f8db6a78bf3c970fc06da87d5cc653
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in Microsoft Office applications to execute arbitrary code. No specific scripts or further payloads were extracted, but the presence of the OLE object strongly suggests a malicious intent to exploit the Equation Editor component.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Vkhz8Kjm.meSF contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
34c61a29ddab8de0e187da7c05c2c746eef21b22b5d91d8f1769c0548f4a375f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Vkhz8Kjm.meSF 935936 bytes
ooxml_oleobject_00_ole10native_00.bin
018e6aafb5c0262a70d6a07beb6c790fd5ac1f344fe89b37b5ac3cac30d7d183		 ole-package OOXML xl/embeddings/Vkhz8Kjm.meSF Ole10Native stream: OLe10naTIVe 925991 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.