Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cdbf19d2e2d34cc6…

MALICIOUS

Office (OOXML) / .XLSX

613.8 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300
MD5: 93c92531ac78d1f4bb357c91b80ca5d2 SHA-1: e61f1d5a3439982077c9d31a8d8b6ffa067a2401 SHA-256: cdbf19d2e2d34cc6456a63de2dcef135d70a1f29e5df6f5729b2697ed4ccc644
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to code execution exploits. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage CVE-2017-11882 or a similar vulnerability to achieve arbitrary code execution. No scripts were extracted, but the embedded OLE object is sufficient evidence to infer a likely attack pattern of exploiting the Equation Editor to download and execute a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6h.jF contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3b4d787cbce16c404cdb45f16695e890dedb5c6fb64164e726e467d845baf00a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6h.jF 851456 bytes
ooxml_oleobject_00_ole10native_00.bin
ad82491cb09ab84278c1f807a09cd41849efeb00869e236237b69c673d746d91		 ole-package OOXML xl/embeddings/6h.jF Ole10Native stream: oLe10natIVe 842368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.