Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c5d49d96b65e8033…

MALICIOUS

Office (OOXML) / .XLSX

645.0 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 07c43a4ba358e45d69f1e5a92ad7e18e SHA-1: 34820ac587157cafede10d049574f5bc52eab7d5 SHA-256: c5d49d96b65e8033113e2e23a1706521962ebd251d6711890d0e1c3ad4133f98
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to deliver exploits, often leveraging vulnerabilities within the Equation Editor itself. While no specific exploit code or payload was directly extracted, the presence of this object strongly suggests an attempt to exploit the user's system.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6dVT1T.zEiKHH contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a94452ea0499b4eac93797dafe172de7f0f31343e4f9bfbb58fa93273feaa9eb		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6dVT1T.zEiKHH 911872 bytes
ooxml_oleobject_00_ole10native_00.bin
25298df17d18a8df124692b087fe12bb23dacc3bf39542f6c56db4c27baf9975		 ole-package OOXML xl/embeddings/6dVT1T.zEiKHH Ole10Native stream: OlE10NAtIve 902537 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.