Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 da55b7f6e7ce3736…

MALICIOUS

Office (OOXML)

1.38 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2021-05-26
MD5: 6b16d01e4e67387e9d4895ae14cceb4b SHA-1: 868af7bcbe54ce767c3689aa0537ebe2a70a97fb SHA-256: da55b7f6e7ce37368846cdbf1ce8cda719b3103373499592dd61d31b4ee0af0d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This Excel document contains a high-risk embedded OLE object, identified as an Equation Editor, which is a common vector for delivering malicious payloads. The object's Ole10Native stream exhibits anomalies suggesting it contains executable content. The presence of a suspicious URL, http://www.day.com/dam/1.0, further indicates a potential download or command-and-control channel.

Heuristics 7

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET
    Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
  • Payload URL recovered from embedded OLE object (1 URL) info OOXML_EMBEDDED_OBJECT_URL
    An embedded OLE object (xl/word/ppt embeddings) carries a next-stage download URL in its Ole10Native/Package stream — stored literally (incl. UTF-16) or base64-encoded — which the package-level URL sweep does not see. Surfaced as an IOC; self-validating (only real payload hosts).
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.day.com/dam/1.0 In document text (OOXML body / shared strings)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OOXML body / shared strings)
    • http://ns.adobe.com/tiff/1.0/In document text (OOXML body / shared strings)
    • http://purl.org/dc/elements/1.1/In document text (OOXML body / shared strings)

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject2.bin 1535488 bytes
SHA-256: 390bfa4e7f7fb363a49f2095a7bc29501173fb44b905218e682a7fa570b4ab6e
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native 1520900 bytes
SHA-256: f7bfcd2cfafe65360c900b06396fb593106749574e01161bc1df7461e65c0804
ooxml_oleobject_01.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject3.bin 10240 bytes
SHA-256: dee6dadb12de044faa658368cdd49e3be7bda7b7c69ca5594ab575eb3791d584
ooxml_oleobject_01_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native 8667 bytes
SHA-256: 59fb77315591a55324873430963abffa12244adc4996302250a87d8a758a5796
ooxml_oleobject_02.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 1059840 bytes
SHA-256: ba509981de10ffb9c4e50bcf2cd1e955dd7a11a358b79675cc1215325691df7c
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): mshta2kPFeJia6pmoaIxp79CrsXQHaj7dQpI0viYZLJYV3wbvR4WKpJuAkYLZXREYz6UHR3td3RG4HVIgbDIYfIQHRP2qlaKi7wG6defaM7cxmQ8Ga617hz1MTUFlJ2jFLkO6VQAakiOpcdOnwAUivJ0ZNEmzCigKCvew
ooxml_oleobject_02_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: oLE10NATivE 1048685 bytes
SHA-256: a8c6e7d90745b9ff9cea05a034a0561f77d4b69dde98fab300974ba5d44d44e2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered command string(s): mshta2kPFeJia6pmoaIxp79CrsXQHaj7dQpI0viYZLJYV3wbvR4WKpJuAkYLZXREYz6UHR3td3RG4HVIgbDIYfIQHRP2qlaKi7wG6defaM7cxmQ8Ga617hz1MTUFlJ2jFLkO6VQAakiOpcdOnwAUivJ0ZNEmzCigKCvew
ooxml_oleobject_03.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Office_Word_Macro-Enabled_Document1.docm 122523 bytes
SHA-256: 45856426be47fd9387aed48b15fe7b534274592a8840baca189032c4f58ac182
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image2.emf 3042216 bytes
SHA-256: 058f03094b563ffe0f4fc6569e1d6cca7f2d219df0f3a543b09bb57c04d5c406
emf_01.emf ooxml-emf OOXML EMF part: xl/media/image3.emf 648132 bytes
SHA-256: 41ba43d44f8607265acb7f31b40fb92f5d455850872db66652bb962994766b7b
emf_02.emf ooxml-emf OOXML EMF part: xl/media/image4.emf 7608 bytes
SHA-256: 52e605f9aa73c945d0f6e468fd68aff7db021699e26de6015514388190d03d9a

Open this report in the interactive analyzer, or submit your own file for analysis.