Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d4e1391a4c091eb9…

MALICIOUS

Office (OOXML) / .XLSX

670.7 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: aea58eb70601d6c06d73b14c047d2274 SHA-1: 38a71f5ec2abe59a8fab0d13a46ac2a86ef0e2bf SHA-256: d4e1391a4c091eb93ee714ad3b7cb38363d1859c156a9c70d34f2176eb17af37
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, identified as an Equation Editor exploit. This type of object is commonly used to exploit vulnerabilities and deliver malicious payloads. The presence of the Equation Editor OLE object strongly suggests an attempt to execute arbitrary code upon opening the document. No scripts were extracted, and the document body content appears to be unrelated inventory data, providing no further clues to the specific lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/njiVK.Zp7h contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d527f59d9349cf8c28eed34e7671387a5ba9c72ac9800ce301759c9fd999d1aa		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/njiVK.Zp7h 963072 bytes
ooxml_oleobject_00_ole10native_00.bin
b1a7c87c91d62b63cef118fe2ba93c9feabade9a08d79376e9ecb4d599254e29		 ole-package OOXML xl/embeddings/njiVK.Zp7h Ole10Native stream: OLe10NaTivE 953317 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.