Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bfac8f9e61c5d650…

MALICIOUS

Office (OOXML) / .XLSX

713.3 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-12
MD5: b6bcff2b23211d74af18acc1043b0069 SHA-1: 11f2e3434fe425ade4527f10720ec230100508a5 SHA-256: bfac8f9e61c5d6503e6af4a2fd54597517f8bcd5d081f73cec7708323a4cc8d3
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly exploited to execute arbitrary code or download further malicious content. The document body is heavily obfuscated and does not provide clear textual lures, suggesting the maliciousness relies entirely on the embedded object's functionality.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/8tBm2rV.95PA7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bf40157102d447d92e5d2719d7406adf5ece14a86e7e84fa47f3c8fa6f6ce17f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/8tBm2rV.95PA7 1027072 bytes
ooxml_oleobject_00_ole10native_00.bin
6db45f52b13f63337cdb21337d154f90bfc2fa963633295477429c0921e79db2		 ole-package OOXML xl/embeddings/8tBm2rV.95PA7 Ole10Native stream: olE10NATIVE 1016390 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.