Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dc55d491af0bd203…

MALICIOUS

Office (OOXML) / .XLSX

618.5 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: b98b396bc2e687f08f4aea3c541a85c9 SHA-1: 544710ab6d6438b5d839a93e792b52389964d7e5 SHA-256: dc55d491af0bd20319ad19e6047b316a7bad5ec4e37d3500b240a68fc8f43759
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous size and entropy, strongly suggesting it's being used to exploit a vulnerability. This technique is commonly used to deliver second-stage malware. No specific family could be identified, but the attack pattern is clear.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/znSrTK6QU.RBAkr contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0bc779ec7085664a83c851265e7deed9b86d8ed1379f29f95943754c80b48fc6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/znSrTK6QU.RBAkr 845824 bytes
ooxml_oleobject_00_ole10native_00.bin
94814f084f02f887ecf617dd0935e936a5fbed36d6f92858e39f4b45a61e4806		 ole-package OOXML xl/embeddings/znSrTK6QU.RBAkr Ole10Native stream: ole10nATIvE 837044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.