Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d6d93de8cd7a4944…

MALICIOUS

Office (OOXML) / .XLSX

637.2 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 0b44d27dc9f7437df7b414cab571754d SHA-1: 59535e57078314a0292857f39e7e84be5fc08503 SHA-256: d6d93de8cd7a49449cddb73d638b5c5e7a79e1533382abe2e0c044e32a055234
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. While the document body contains what appears to be financial or shipping data, it does not directly indicate malicious intent. No scripts were extracted from this sample.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/td1ktc.xpOayvr contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
febde02942b40920edda2da03c4d90584ec8abb15ae289efc61b1a35c2f5a403		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/td1ktc.xpOayvr 952320 bytes
ooxml_oleobject_00_ole10native_00.bin
13e6302b50f318f9ff46d1a266aa5faaa642a10168574f91f938f4d5ca3a86ec		 ole-package OOXML xl/embeddings/td1ktc.xpOayvr Ole10Native stream: OLE10NaTivE 942423 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.