Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b8ca62e7e7280e4b…

MALICIOUS

Office (OOXML) / .XLSX

599.6 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3cdc50bc9a56c4f3ebe5e0c85fab7949 SHA-1: 24c74a80d025fb7528b3a0a1573425dca18e0786 SHA-256: b8ca62e7e7280e4b8e3b14ba7b022c78e8f8d6be189d5f88cc18ab35054c3a18
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component, likely leading to arbitrary code execution. No document body or scripts were extracted, but the presence of the Equation Editor exploit is sufficient to infer a malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Gw.oLxOQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d353648559e6202761883af44ff10ef272d566ac0bdb63b1eea2f244ffa49d0f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Gw.oLxOQ 828416 bytes
ooxml_oleobject_00_ole10native_00.bin
17007a6c6bde9820a5d7f778a4c52af0219562caa292867fcbc44f91b6d896fc		 ole-package OOXML xl/embeddings/Gw.oLxOQ Ole10Native stream: oLE10NaTIVe 819706 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.