Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ca94f672e0a78076…

MALICIOUS

Office (OOXML) / .XLSX

660.3 KB Created: 2024-09-30 12:55:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: 3b65d19f4f8f6a78f0b81a76b4377466 SHA-1: 96e39dfd3899d6c2c0525986bb98f62daf3bce47 SHA-256: ca94f672e0a78076b32e25a4acd186f60de0986dcebcd4d8bb61f3ceca33eb01
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to deliver exploits, such as those targeting vulnerabilities in Microsoft Equation Editor. The presence of this object strongly suggests an attempt to exploit the user by tricking them into interacting with it, leading to the execution of malicious code.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/dxCbvSi.Yba contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
da36cbee923251fb3ca3469dadf0794533a69e8fac94a6b0100a3f42af0e6341		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/dxCbvSi.Yba 837120 bytes
ooxml_oleobject_00_ole10native_00.bin
939dab77c89406f87b7257718075c0453c670cdc3bed05be23952e1d06fa4f54		 ole-package OOXML xl/embeddings/dxCbvSi.Yba Ole10Native stream: oLE10NAtivE 828082 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.