Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c43a3a0ce7d78798…

MALICIOUS

Office (OOXML) / .XLSX

659.4 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 3739645f289889f9008d2607eb2558e1 SHA-1: d32ffac570a059cc5582e7eb4668bb34c2b3fcc7 SHA-256: c43a3a0ce7d7879849045e4ff17ff6f6d74a3462bd2da91e0f0284d3768a2b96
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to exploit vulnerabilities in Microsoft Office, often leading to the execution of arbitrary code. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/av3uTc9.IUnsVE contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
81f1f65ec352e2068063330f746c6e472338d522f161ae4aff7015bc91e4a87f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/av3uTc9.IUnsVE 946688 bytes
ooxml_oleobject_00_ole10native_00.bin
eff944ed137a79e0b7f3212d583e58c7a5da762358e3cbaa0c2e7ea0dde653c7		 ole-package OOXML xl/embeddings/av3uTc9.IUnsVE Ole10Native stream: oLE10NaTive 936959 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.