Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bd6549edba2b5762…

MALICIOUS

Office (OOXML) / .XLSX

729.3 KB Created: 2020-07-07 21:52:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8bcc4df45d89af708da39e3159f110bd SHA-1: e7b296d31480824fd3d5eb6cefad7667d9ce5d50 SHA-256: bd6549edba2b57625267f073d958dad24d9a6350c24ab9319b970798a9f50fa7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the XLSX file. This object is frequently used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. No document body or scripts were extracted, but the OLE object itself strongly suggests an exploit delivery attempt.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/URXX1pbr.ad6IfZ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3ad12d8eea44eb2e8a8dccd581ddbf94b92b6e7c700ea190900f916fa585f708		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/URXX1pbr.ad6IfZ 841216 bytes
ooxml_oleobject_00_ole10native_00.bin
90c4a493e29ff8cbe4a1c689956aa4d58e3f80453d0cdb5426ae0367f2439b18		 ole-package OOXML xl/embeddings/URXX1pbr.ad6IfZ Ole10Native stream: Ole10Native 832301 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.