Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b56e2d3d736380f3…

MALICIOUS

Office (OOXML) / .XLSX

755.7 KB Created: 2020-08-20 17:59:18 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-11-23
MD5: 05b22b58303ffdf7c74de397fb188836 SHA-1: e4ad512d6d1083d758b14926bc380c048f429e9e SHA-256: b56e2d3d736380f33f32ab158309146a318c41039119abd4b64c45c57f3078e9
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The document contains a fake invoice lure, which is a common social engineering tactic. It also contains an embedded OLE object, specifically an Equation Editor object, which is known to be exploited to deliver malicious payloads. The anomaly detected in the Ole10Native stream suggests that this object is carrying a payload rather than legitimate Equation Editor data.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Jjb.cF3I contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6819191276a3015ce85d4cf7631bbbd0ab8f6a6e8a9b0ea8a6842a6884a52a3d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Jjb.cF3I 906752 bytes
ooxml_oleobject_00_ole10native_00.bin
da4eb7d9aae29dbc8f955ca7f4000c20e61437f0ea9e4291fc5b850e77ff076d		 ole-package OOXML xl/embeddings/Jjb.cF3I Ole10Native stream: oLe10NATiVe 897348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.