Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ccae6dda8f6f5637…

MALICIOUS

Office (OOXML) / .XLSX

707.0 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: ee98a1d52ed736d82191c974a7a66694 SHA-1: e52a106550e320656166ee1a0a1b3d01e6f7e9a3 SHA-256: ccae6dda8f6f5637da407188751ef9265975ab9df9f5c0d423785637bfd75bf7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities or deliver malicious content. While no specific script or URL was extracted, the presence of the Equation Editor OLE object strongly suggests an attempt to leverage this component for malicious purposes, likely leading to the execution of a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xHHIO4.lj7n contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
816771f0b3bd9f18dc9abe851c4e1a6d632fabf36888fb5d311585c9a6d4718b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xHHIO4.lj7n 993792 bytes
ooxml_oleobject_00_ole10native_00.bin
21f272074152820f297df243aa2907cd330c4d8670e94531de8c366ed5412bd2		 ole-package OOXML xl/embeddings/xHHIO4.lj7n Ole10Native stream: oLe10NaTIVE 983471 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.