Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b265d5a43b4654f5…

MALICIOUS

Office (OOXML) / .XLSX

627.3 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: fe8fc3b63d5cad4fad54eb6bc0eb5c7c SHA-1: 6549f12cf51e4614057c3fb514807e02214c593e SHA-256: b265d5a43b4654f571a0bee67b3024688754327cb21e5f41b32ce27d9263f002
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The high-severity heuristic firing for 'Equation Editor OLE object' indicates the presence of a known exploit vector within the embedded OLE object. This technique is commonly used to execute arbitrary code, often leading to the download and execution of further malicious stages. The embedded OLE object itself is the primary indicator of compromise.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/jb.BeL contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c608dfe8d04f3c433b5edd9aab4473c72c573d926ede71ea2bb599ae5045f4d2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/jb.BeL 907776 bytes
ooxml_oleobject_00_ole10native_00.bin
9028345599e13a0aa9cc63dff486854b80b70b81a679b118f2d9a3ecf0cdae72		 ole-package OOXML xl/embeddings/jb.BeL Ole10Native stream: OLe10NaTIVE 898254 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.