Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cdf1bfb19d88c50b…

MALICIOUS

Office (OOXML) / .XLSX

673.8 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 4b22c07fb424afb33b4b43c318320f16 SHA-1: 934fcf9df919e9b01578937ca337c119c4829a7f SHA-256: cdf1bfb19d88c50b067c8241ac2cdd1996d7efed86e2c68f70ef79285f436000
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, identified as an Equation Editor object. This is a common technique used to disguise and deliver malicious content. The embedded object itself, 'xl/embeddings/8xys.aZvd4M', is a primary indicator of compromise. While no scripts were extracted, the presence of the OLE object strongly suggests an attempt to exploit vulnerabilities or deliver a secondary payload upon opening.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/8xys.aZvd4M contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4c0b06819312728c1869ee626352b62c082dbd48595b06c7e728e23699e04a38		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/8xys.aZvd4M 982016 bytes
ooxml_oleobject_00_ole10native_00.bin
23adba622ffefe6ec3801169aa83ac99d9345c68a270c483e3b6aa255e13d312		 ole-package OOXML xl/embeddings/8xys.aZvd4M Ole10Native stream: oLE10naTive 971806 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.