Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 afd3e1e189add2bc…

MALICIOUS

Office (OOXML) / .XLSX

684.1 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0f02830bb11bc405677c3d1a83b40774 SHA-1: d7bdf67c7780b1e171fc38df3f6248f16dbeec98 SHA-256: afd3e1e189add2bc84466243ddbf5647796bc747db8713c930bbe14efe9da158
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object identified as an Equation Editor. This is a known technique for exploiting vulnerabilities to execute arbitrary code. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage this exploit for malicious purposes, likely to download and execute a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3R1jC.xShq contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
fa0e2899a984b0ed2d4592711d29269d5033cdd0e2b96c63551a6fc901d5b474		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3R1jC.xShq 994304 bytes
ooxml_oleobject_00_ole10native_00.bin
bf9640e9f4c77df8e7cc59b669e2f48c60674d795bcdb9711fa23017c9748e6a		 ole-package OOXML xl/embeddings/3R1jC.xShq Ole10Native stream: Ole10nAtivE 983571 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.