Office (OOXML) malware analysis — malicious · bbcac383ed9bb3cc

MALICIOUS

Office (OOXML)

2.53 MB Created: 2021-01-13 03:25:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-06-28

MD5: c85cb0c87809226e5b5d3cb9243ef645 SHA-1: 693e48928163a69974686c2415e5577c73509ef0 SHA-256: bbcac383ed9bb3ccb89a72bc5f4837c436d8a4cd7893e8c90e680e5c8ce20a1c

162 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is an OOXML document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate anomalies within the Equation Editor's native stream, strongly suggesting exploitation of CVE-2018-0798. This vulnerability allows for the execution of arbitrary code, likely leading to the download and execution of a secondary payload.

Heuristics 6

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/1DSjXAKAP.z4GIbt contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY

Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY

Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.

NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x40 bytes

Disassembly

Attempted x86 opcode disassembly

001D5922  40                inc eax
001D5923  40                inc eax
001D5924  40                inc eax
001D5925  40                inc eax
001D5926  40                inc eax
001D5927  40                inc eax
001D5928  40                inc eax
001D5929  40                inc eax
001D592A  40                inc eax
001D592B  40                inc eax
001D592C  40                inc eax
001D592D  40                inc eax
001D592E  40                inc eax
001D592F  40                inc eax
001D5930  40                inc eax
001D5931  40                inc eax
001D5932  40                inc eax
001D5933  40                inc eax
001D5934  40                inc eax
001D5935  40                inc eax
001D5936  40                inc eax
001D5937  40                inc eax
001D5938  40                inc eax
001D5939  40                inc eax
001D593A  40                inc eax
001D593B  40                inc eax
001D593C  40                inc eax
001D593D  40                inc eax
001D593E  40                inc eax
001D593F  40                inc eax
001D5940  40                inc eax
001D5941  40                inc eax
001D5942  40                inc eax
001D5943  40                inc eax
001D5944  40                inc eax
001D5945  40                inc eax
001D5946  40                inc eax
001D5947  40                inc eax
001D5948  40                inc eax
001D5949  40                inc eax
001D594A  40                inc eax
001D594B  40                inc eax
001D594C  40                inc eax
001D594D  40                inc eax
001D594E  40                inc eax
001D594F  40                inc eax
001D5950  40                inc eax
001D5951  40                inc eax
001D5952  40                inc eax
001D5953  40                inc eax
001D5954  40                inc eax
001D5955  40                inc eax
001D5956  40                inc eax
001D5957  40                inc eax
001D5958  40                inc eax
001D5959  40                inc eax
001D595A  40                inc eax
001D595B  40                inc eax
001D595C  40                inc eax
001D595D  40                inc eax
001D595E  40                inc eax
001D595F  40                inc eax
001D5960  40                inc eax
001D5961  40                inc eax
001D5962  40                inc eax
001D5963  40                inc eax
001D5964  40                inc eax
001D5965  40                inc eax
001D5966  40                inc eax
001D5967  40                inc eax
001D5968  40                inc eax
001D5969  40                inc eax
001D596A  40                inc eax
001D596B  40                inc eax
001D596C  40                inc eax
001D596D  40                inc eax
001D596E  40                inc eax
001D596F  40                inc eax
001D5970  40                inc eax
001D5971  40                inc eax
001D5972  40                inc eax
001D5973  40                inc eax
001D5974  40                inc eax
001D5975  40                inc eax
001D5976  40                inc eax
001D5977  40                inc eax
001D5978  40                inc eax
001D5979  40                inc eax
001D597A  40                inc eax
001D597B  40                inc eax
001D597C  40                inc eax
001D597D  40                inc eax
001D597E  40                inc eax
001D597F  40                inc eax
001D5980  40                inc eax
001D5981  40                inc eax

Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/1DSjXAKAP.z4GIbt	2958848 bytes
SHA-256: `ca9f9772a46ea901ebe58b3ee443ca6e36e335c75511885c1f1cf5c8e296e17a`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`ooxml_oleobject_00_ole10native_00.bin`	ole-package	OOXML xl/embeddings/1DSjXAKAP.z4GIbt Ole10Native stream: Ole10nATiVe	2932795 bytes
SHA-256: `948ba71c19888884f694d365e4c1a593b0dbf461bce008251299bf52a8014178`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.