Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d511d6beb4a38967…

MALICIOUS

Office (OOXML) / .XLSX

722.7 KB Created: 2022-07-21 17:04:09 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2023-02-27
MD5: 4134718aae7384320ed8f8f99804e818 SHA-1: e47de7210155d523ddc3bab38fba1e36f525bc79 SHA-256: d511d6beb4a38967d16df3f69c99a994a921f6037a2023aff1fbb46b8b418513
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Office document containing an embedded Equation Editor OLE object, which is known to be used for delivering malicious payloads. The heuristic 'SE_ENABLE_LURE' indicates that the document likely instructs the user to enable macros or editing, a common tactic for malware droppers. The OLE object's 'Ole10Native' stream has an anomalous header and size, suggesting it contains a payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/qZk3pr.gP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ddd420359ef6cec22117d04e286617e018b34ffe43ccdb204028c104add3c101		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/qZk3pr.gP 1063936 bytes
ooxml_oleobject_00_ole10native_00.bin
c5f0a4d8abe7203e83a4a31e39008bcfeb9140a8ca146e09f19baed9367149fb		 ole-package OOXML xl/embeddings/qZk3pr.gP Ole10Native stream: OlE10naTIvE 1052740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.