Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bbf548657c3a96ef…

MALICIOUS

Office (OOXML) / .XLSX

673.0 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-05-25
MD5: f1fb2dc68c377650021c9e6ac6df7dcc SHA-1: a2752689c63c6d087630ac754cf76fff3cb7e7f9 SHA-256: bbf548657c3a96efe47e3ac024e4072bdafb6b6063a090226e9fe3163e0e86cc
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, identified as an Equation Editor object. This is a common technique used to exploit vulnerabilities or deliver malicious content. The presence of this object strongly suggests an attempt to execute arbitrary code or download a secondary payload. No scripts were extracted, and the document body contains what appears to be inventory or parts data, which does not directly indicate malicious intent but serves as a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/LIfhMY9.R7OXR contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d2ebb16b416dd2b6cae5bc98d2e634c727198031c5c3fb3ec30a7cd930ea1e3b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/LIfhMY9.R7OXR 908800 bytes
ooxml_oleobject_00_ole10native_00.bin
4e5693f520a050f7dcdf591255ff941cd7c6c44750ca1ca3ec718d93602799d6		 ole-package OOXML xl/embeddings/LIfhMY9.R7OXR Ole10Native stream: olE10naTiVE 899270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.