Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bdb20099fec87251…

MALICIOUS

Office (OOXML) / .XLSX

748.9 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-06-22
MD5: 9c694113a018fdf2ed56f9a9ac530db2 SHA-1: 6fba663bae4424121f2c1f227a027300e3e17b74 SHA-256: bdb20099fec87251858f342c31e3e367d24aa03e5ae3ef840a2380af69f71157
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared inner size than the actual stream size. This strongly suggests the embedded object is designed to exploit vulnerabilities or deliver malicious content when opened. The document body, formatted as a purchase order, serves as a lure to encourage user interaction with the malicious object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/65.yJOJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6d07cc52c1b8336c9ac5becfe3597210cdef4da4cda21d95277e986db7a2718f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/65.yJOJ 1055232 bytes
ooxml_oleobject_00_ole10native_00.bin
392dcaa4b42d2cc05e3c3a7788fa1d18e54054ff080b3734c583be0b890478d1		 ole-package OOXML xl/embeddings/65.yJOJ Ole10Native stream: oLE10NAtivE 1044230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.