Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dadf14be581d662a…

MALICIOUS

Office (OOXML) / .XLSX

2.54 MB Created: 2006-09-13 11:21:51 UTC Authoring application: Microsoft Excel 15.0300
MD5: a9c7ea924ea0c6af707d98184f710331 SHA-1: 9b0017dcd5f3d38e019d4818672700aab6f94efe SHA-256: dadf14be581d662a0fda146f5f7823b43054c16f2c80a5499c1ca601f9c50095
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an XLSX document identified as malicious. It contains an embedded OLE object, specifically an Equation Editor object, which is flagged for carrying a payload-like stream with an anomalous header. The document body contains text formatted as a proforma invoice, suggesting a lure to entice the user to interact with the malicious content. The presence of the OLE object and the invoice lure strongly indicate an attempt to deliver a secondary payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
258571a79ae7903557d9614d1bff5c492e0efbf61e5e4d91a2fe61c56eb919eb		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 842240 bytes
ooxml_oleobject_00_ole10native_00.bin
a5ac480a42086ec556ef0d4daf6fff1db11660c2fbacc81301c1264cb9b8665b		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: oLe10NAtIve 833316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.