Office (OOXML) / .XLSX malware analysis — malicious · b326ee834d3e9c27

MALICIOUS

Office (OOXML) / .XLSX

2.03 MB Created: 2022-05-16 17:34:45 UTC Authoring application: Microsoft Excel 15.0300

MD5: 0c7d9bbd0cfe3621f076aae883009e36 SHA-1: 58d9da251f4466a6cd9fb7fb7f0cbb196425db2e SHA-256: b326ee834d3e9c27a5712b91bf28ac789ea8f715dfd17cca0cd6d0cc5ef18c9f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the OOXML file. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of arbitrary code. The embedded OLE object itself is the main indicator of compromise.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/e2J.0Kg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `30b6b40367508a054d79e4491be06b7b00efadac2158232a32b89e6e1e660f0f`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/e2J.0Kg	2865664 bytes
`ooxml_oleobject_00_ole10native_00.bin` `8cb21ec508fc30dfae287da375d27807c20fc7101b9903246d9ce754fcc2f991`	ole-package	OOXML xl/embeddings/e2J.0Kg Ole10Native stream: Ole10Native	2840840 bytes
`emf_00.emf` `38f17a599ac5d645df3840bbb401710ef81573a747da20abbfc1b7d9a9273b58`	ooxml-emf	OOXML EMF part: xl/media/image1.emf	169096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.