Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d65724c2fd4c8c7c…

MALICIOUS

Office (OOXML) / .XLSX

601.4 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-29
MD5: df95df343efba634174fd9e1dac30a74 SHA-1: 8246895ef646ed14edf8bf41e99220a04a163100 SHA-256: d65724c2fd4c8c7c0ec482e5071ecce04c83cc827ed3a98912d4abebbfe3bbb7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be a vector for exploits. The 'OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY' heuristic indicates that this object carries a payload-like stream with an anomalous header and a significantly larger declared inner size than the actual stream size, strongly suggesting it's designed to deliver malicious code. No scripts were extracted, but the presence of the anomalous OLE object is sufficient evidence of a malicious payload delivery attempt.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/fQZIMMxr.bFBS contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
825ed8d73854893942dde01fa53dab26e81b25e0fcad18c9eeb10e111be95063		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/fQZIMMxr.bFBS 865792 bytes
ooxml_oleobject_00_ole10native_00.bin
24ce43e704ad8d65f3aa46f4135120bb5018090b99041c758001603923124503		 ole-package OOXML xl/embeddings/fQZIMMxr.bFBS Ole10Native stream: OlE10naTIVE 856180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.