Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b1c74b43c3c2dac3…

MALICIOUS

Office (OOXML) / .XLSX

670.0 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-20
MD5: 1b41c7a0ac2c4166ec0dba869d6cb718 SHA-1: 87b0c70a15437b73799dabab6068b6d3623f693f SHA-256: b1c74b43c3c2dac3db3b5f1fa1c834dd4b2bb293ac926cf3efa82ae82db01683
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared inner size than the actual stream size, suggesting an exploit attempt. The presence of these indicators strongly points towards an attempt to exploit vulnerabilities within the Equation Editor component to execute malicious code.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6xPdEupsI.MGTEF15 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
920729a9a90b91b8bcca0c7bc686fc6d6b0bfc3331084539ccf832713db9ad97		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6xPdEupsI.MGTEF15 910848 bytes
ooxml_oleobject_00_ole10native_00.bin
7d712ed92f00cc55094e8a18dad5bd594392636ee027022b3bdd1c43f406062b		 ole-package OOXML xl/embeddings/6xPdEupsI.MGTEF15 Ole10Native stream: ole10NaTIvE 901357 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.