Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cc68b174a61c2520…

MALICIOUS

Office (OOXML) / .XLSX

604.3 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 12e0a3dcf447488865b8ec832fbefc21 SHA-1: 01603e70527cf3ad83c40356ee25a50d4f3da1c2 SHA-256: cc68b174a61c25205fcd3d75ad3a6a0a070cab3cf10cc15e8dffd04d1feac3ce
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities in Microsoft Office applications to execute arbitrary code. The embedded object's filename 'MY.yu' is also listed as an IOC. No scripts were extracted, and the document body was truncated, limiting further analysis.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/MY.yu contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c4211bd236dacebaac477be39e00908d8fc60778d1edbce2a3c1633d89b0df46		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/MY.yu 880128 bytes
ooxml_oleobject_00_ole10native_00.bin
b7aff036dd42b1d337e43315b4fb19d7685fff84a9b3194be6aeee600463a1b3		 ole-package OOXML xl/embeddings/MY.yu Ole10Native stream: ole10NATIVe 870419 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.