Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d31a9e13a2911d10…

MALICIOUS

Office (OOXML) / .XLSX

915.1 KB Created: 2015-06-05 18:17:20 UTC Authoring application: Microsoft Excel 16.0300
MD5: 73fd510c5129076c60673f6b2a9f4a9b SHA-1: fdf2c44e484693aa63c44b5ff66160f641aab5a1 SHA-256: d31a9e13a2911d103c65463dc8cb8d1253493f8ab9cad34adc3cad00f1c7d235
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently exploited to deliver malicious payloads by leveraging vulnerabilities within the Equation Editor component. The presence of this object strongly suggests an attack pattern aimed at exploiting this component. No scripts were extracted, and the document body contains sales data, which is likely a lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/u4u.BCuUo4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
435c898803c4611d1065401c4475c517275aead374346160c23ab53b3e0c17d4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/u4u.BCuUo4 1053696 bytes
ooxml_oleobject_00_ole10native_00.bin
3c372162f1c77d50b41a446b2bb5affb1d05ba9a2e549aee9d6285762c9ec7f7		 ole-package OOXML xl/embeddings/u4u.BCuUo4 Ole10Native stream: Ole10Native 1042675 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.