Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dae10b4be19f8170…

MALICIOUS

Office (OOXML) / .XLSX

602.1 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: 80126b0c7190360c63cdfc0b57839920 SHA-1: 191ffb490653ca129ed7fe603f2d7734d3d0c157 SHA-256: dae10b4be19f81707d8c9b2fab7539a0f5a9c82ef37f5c0ee3500c161c68fb20
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's designed to execute malicious code. This delivery mechanism is commonly associated with exploiting vulnerabilities in the Equation Editor to download and execute further stages.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/4ggQT9a5.Nyt contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
79ea05cfd03d48273255d7eecc7b163954ee1bb2394f4471fcab6189fa21ae50		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/4ggQT9a5.Nyt 851456 bytes
ooxml_oleobject_00_ole10native_00.bin
b486002f30b6a1afb93b4b6189007a1afed9387c83a7d415444abebb2bea77d2		 ole-package OOXML xl/embeddings/4ggQT9a5.Nyt Ole10Native stream: oLE10NAtIVE 842491 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.