Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 db8005ede3b883ab…

MALICIOUS

Office (OOXML) / .XLSX

641.7 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: a971e523dcb8582f8c095214069c03f3 SHA-1: 008a62ba3010cbf2dc31c7d8913587ebe07c07d0 SHA-256: db8005ede3b883ab4d1fb7708d9a834f3efdd97294d66f335c711cd2e6528764
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The sample is an Office Open XML (XLSX) file containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This type of object is known to be exploited to achieve arbitrary code execution. The presence of the Equation Editor OLE object strongly suggests an attempt to exploit a vulnerability, likely CVE-2017-11882, to execute a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Yr2bP.USP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
127232dc5f0165c43c0a4c2c470e6bd440e3c71c4e950e45b0a527ccf384c780		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Yr2bP.USP 943616 bytes
ooxml_oleobject_00_ole10native_00.bin
69537692f2172496baab03de2f09c3520085e14c4ffe49b5e3b6d59020cf0ea9		 ole-package OOXML xl/embeddings/Yr2bP.USP Ole10Native stream: OlE10NATIve 933385 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.