Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c45d31e44d57ed25…

MALICIOUS

Office (OOXML) / .XLSX

597.4 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: b084fdb4d0c9b94ab31e3a762a8ceae9 SHA-1: 40118c7bde4f52645b341ee5dacca239eeb482ef SHA-256: c45d31e44d57ed25927e102efcfae85dd155f2496624c3958bdd4076d4e0b386
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests the exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The embedded OLE object is the primary indicator of this attack vector.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/l7.RdQP2F contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0c3b4a517849c596085827d88b09b64fdef16cbe72b5b0fc9cd8fde17a8cb5cb		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/l7.RdQP2F 843264 bytes
ooxml_oleobject_00_ole10native_00.bin
a86d6284c70fa6db97592e802eb498dcf867c8850f4fdc0dde3e8a1ac5064b36		 ole-package OOXML xl/embeddings/l7.RdQP2F Ole10Native stream: oLe10NatIVE 834389 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.