Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bc2adc33f027ec3b…

MALICIOUS

Office (OOXML) / .XLSX

485.5 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: 30817eac74991bb376a30d3d6d464e60 SHA-1: 4fd04e99fb315d201d2ac309e86b92eb1f23469f SHA-256: bc2adc33f027ec3b8090b6ae270732f23cb15dffe41ed44b77022fe73ee179ff
108 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate the presence of CVE-2018-0798, an anomaly within the Equation Editor's native stream, which is a known vulnerability for arbitrary code execution. The presence of hidden sheets further suggests an attempt to conceal malicious activity. The primary attack vector is likely the exploitation of this Equation Editor vulnerability to achieve code execution.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2f2e3209e8aee7f85efda6e67bd01181642e0c68b49b368b830886dcb549ad8f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1614848 bytes
ooxml_oleobject_00_ole10native_00.bin
ae6173ee54937f64c652977a63ceeb27438c18c8874634ccf808a82e16b09e02		 ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1599780 bytes
ooxml_oleobject_01.bin
032a11fd02c9d7b3f24b0da8ac84ac378cb8ea32ffeb2400e1f71864997f1434		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 4096 bytes
ooxml_oleobject_01_ole10native_00.bin
f269f7e2c1bc09022feeca9e3311dd533bb30f455da057929a360619a5f70d9d		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: olE10NaTiVE 1798 bytes
emf_00.emf
5ec13fdb116fad2a722159ac55f98a857e0925759bcaeb75ac83fccbf7c3e8c2		 ooxml-emf OOXML EMF part: xl/media/image6.emf 3199944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.