Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 afad991c5919976a…

MALICIOUS

Office (OOXML) / .XLSX

611.8 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 5b8ac2f5eef3206baa54b30633f17502 SHA-1: 696c01588aa218ca3fc2fadd83f55d634b65dbfc SHA-256: afad991c5919976a4b5f274c9ec0bb9edc328e267cbd88f38553670473fb6245
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for 'Equation Editor OLE object' indicates the presence of a known exploit vector within the embedded OLE object. This technique is commonly used to execute arbitrary code upon opening the document, leading to further stages of infection.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/tmKyLiqj.XAg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
14fdf9214cfb2952a6735d33d41d5e5809b021da112e196d9d4aae5596bbdabe		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/tmKyLiqj.XAg 897024 bytes
ooxml_oleobject_00_ole10native_00.bin
356594cf67d0310d35b3149a43f2f7db490195d8c87f630c823e3b8e5ad2ab51		 ole-package OOXML xl/embeddings/tmKyLiqj.XAg Ole10Native stream: olE10NatIVE 887517 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.