Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c5a181f82d5b3f31…

MALICIOUS

Office (OOXML) / .XLSX

679.6 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 79362927d81d3dfb6675fa3f12299d5c SHA-1: 9cc648816ac6b837a007336d83a940755b6b470d SHA-256: c5a181f82d5b3f315f55a8ff7b1684a2ca5e91d75a032b6f6cfa1f00185a9f33
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution. The embedded object is likely a secondary payload designed to further compromise the victim system.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3cBFTTWf7.71o contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e06f35bd4d3443aac349c978af1927f36d62d1a5d96e7eca08eae4ff88db2391		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3cBFTTWf7.71o 983040 bytes
ooxml_oleobject_00_ole10native_00.bin
d4b878fa7b01c289baddd03efbb21852407b3c319840d9a7f645bcaf67b20d93		 ole-package OOXML xl/embeddings/3cBFTTWf7.71o Ole10Native stream: ole10NatiVe 973242 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.