Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c9841a078b8e9500…

MALICIOUS

Office (OOXML) / .XLSX

708.5 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-09-29
MD5: f18d887f0c6daf0445ec602021a100ef SHA-1: 1e4983cb03146d1a711e79220f3a3c2f7c31d361 SHA-256: c9841a078b8e950096b9b0e9afa46308d8bb25dd8604e5ce9fbd95fc86812726
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads when the object is opened. The embedded object's filename 'PuTT.qKCqYCr' is suspicious and likely contains the malicious component.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PuTT.qKCqYCr contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1e1f35f60deeb3aed34c45ec1620de81ebe76b191eb9be37d36240cd70193e7d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PuTT.qKCqYCr 951296 bytes
ooxml_oleobject_00_ole10native_00.bin
7612651b699a30eb43c94d7b12c406aa64ba1a32625f4635ebd38b70e38d91b3		 ole-package OOXML xl/embeddings/PuTT.qKCqYCr Ole10Native stream: OLE10naTIVe 941382 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.