Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ccc1b3d80fae91a8…

MALICIOUS

Office (OOXML) / .XLSX

605.4 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: cd690c686ef4666779b5180119dcd414 SHA-1: fbed329b57b1ee35cda302958e76c1f6167a605a SHA-256: ccc1b3d80fae91a85b7bec56ae436ca672c7856f23803f0d058cd45b4bb0ab76
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The presence of this object strongly suggests an attempt to deliver a malicious payload through a document-based exploit. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Wyyd.RP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
04831fddb5b008cc55cc9ca41e794252643b7f02b4f62f54c2d9f4ebe9c34a1a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Wyyd.RP 824320 bytes
ooxml_oleobject_00_ole10native_00.bin
23a754daa7319178c4aa3aac47371c5935ebda92322edf8281b848b94d5da6bd		 ole-package OOXML xl/embeddings/Wyyd.RP Ole10Native stream: OLe10NATIVE 815230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.