Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cc996fa64004c09d…

MALICIOUS

Office (OOXML) / .XLSX

686.9 KB Created: 2023-10-10 00:59:27 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-10-10
MD5: 093a7d0b14bbfc9dc84c578a8b111edf SHA-1: bd54dc220ed240508726d5d76141bb2f6f6c5b67 SHA-256: cc996fa64004c09d6da4318d118c4aa8f15c51e946fc4b2c88c758ee745ae1da
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is an Excel file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header and a significantly larger declared inner size than the actual stream size, strongly suggesting exploitation. The document body text is benign, indicating the lure is likely external to the text content itself. The presence of an Equation Editor exploit points to a common delivery method for malware.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/7v8YM.2834 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4d85a8fcf835bcf9f3ab9e6f462b28bb7d191823d864d5a4ff58c705ed85be89		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/7v8YM.2834 929280 bytes
ooxml_oleobject_00_ole10native_00.bin
2a1a858cf6bd7a3ef434eaad1f00c2f3e7de7c5fe8248e5196da1cab72d30aed		 ole-package OOXML xl/embeddings/7v8YM.2834 Ole10Native stream: oLe10NaTIvE 919518 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.