Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d9a3f7d170e6f1f7…

MALICIOUS

Office (OOXML) / .XLSX

676.0 KB Created: 2020-05-18 06:42:12 UTC Authoring application: Microsoft Excel 15.0300
MD5: a15da14e739fb9c5e37f4c74b50990f7 SHA-1: 61ca90ef381e089de8155f6c81730a61e6472c11 SHA-256: d9a3f7d170e6f1f7849e2afdf8a8e9d0e3d16c6be4ae6c01e74599106a4666b1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object identified as an Equation Editor. This technique is commonly used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The embedded object's path is noted as an IOC. No scripts were extracted, and the document body content does not provide further clues to the specific attack.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lPuD.SZBud contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dcf92d2e3d946cb6f1da8260adc19a1246e0233a76b297e0440ed78aaf9e3b85		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lPuD.SZBud 876544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.