Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b8e762cb476f275f…

MALICIOUS

Office (OOXML) / .XLSX

589.2 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 9fe19f03b1390e3e5cb002ecccb1b640 SHA-1: 1cb49826edf0ea2ae0812849bceaeddea85e341f SHA-256: b8e762cb476f275f788c3b8db49cd3ef3e6fbb3c8d62596a8ccc56f1bc3c54a3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office Open XML (OOXML) file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This type of object is known to be exploited to deliver malicious payloads. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage a vulnerability within it, likely for arbitrary code execution. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific payload or delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/cug5ZDQzj.YZFGXU8 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
613b9df9c7099cd157fac09c6291b9af26c28aa0a762649fca74340f2b03b8ea		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/cug5ZDQzj.YZFGXU8 811520 bytes
ooxml_oleobject_00_ole10native_00.bin
5eaa62a5e19ffdad3e08101ae32864b2a0b443b458a2633167d930df02db1fb2		 ole-package OOXML xl/embeddings/cug5ZDQzj.YZFGXU8 Ole10Native stream: ole10nATiVe 802536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.