Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d405884892b03480…

MALICIOUS

Office (OOXML) / .XLSX

711.6 KB Created: 2020-07-07 21:52:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 90027d740c333ea2139aed4af8786520 SHA-1: b3fa909bd0be9386d0d42ed5ffe80e66784cec5f SHA-256: d405884892b0348082f073e0f75df7772a5da2099722789e2989a6c82bbfc9c2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for 'OLE_EQUATION_EDITOR' indicates the presence of a vulnerable Equation Editor OLE object within the XLSX file. This is a common technique used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The embedded OLE object is the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/gvX5t.DLboQDg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9f15542f094a098c302e6c47d31377f31d83ce670e9ceede54d01b5fd67dae2d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/gvX5t.DLboQDg 877056 bytes
ooxml_oleobject_00_ole10native_00.bin
2baca44d3cededbc1c899b58b50475e0e682eba005db1020e92f2c016a4a11aa		 ole-package OOXML xl/embeddings/gvX5t.DLboQDg Ole10Native stream: Ole10Native 867343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.