Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 cea5afd13b92e129…

MALICIOUS

Office (OOXML) / .XLSX

673.8 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 132a3570cc09c2e1e315e008004a0d1e SHA-1: 3866bceec9cf288999c245fe6949b9d0ce42ca0b SHA-256: cea5afd13b92e129cb92104427d1d7915c5ccce1ba85ef314f2db1d6e115b456
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for 'Equation Editor OLE object' indicates the presence of a known exploit vector within the embedded OLE object. This technique is commonly used to execute arbitrary code, often leading to the download and execution of further malicious stages. The embedded OLE object itself is a significant indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/F2KsaIsN.Ec contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
35299ca9ae87ae08939f1852c6ecbadf453327e7d48e199362af7e6aa92d0aba		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/F2KsaIsN.Ec 935936 bytes
ooxml_oleobject_00_ole10native_00.bin
273a87a9aaf2f957e23374d1f55075c23ff87216e028fd85ca3cef60994f8aec		 ole-package OOXML xl/embeddings/F2KsaIsN.Ec Ole10Native stream: OlE10NATivE 925756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.