Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dd440abb299ff86d…

MALICIOUS

Office (OOXML) / .XLSX

632.4 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 8303106a21a45bc1762f5046d51602fa SHA-1: a5b3b67a0d983b495922eb3ae284f217fee6868a SHA-256: dd440abb299ff86d3a7c3796330d19401b97da63b7f6c393237e9170d748a530
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution. No VBA or scripts were extracted, but the presence of the OLE object is sufficient evidence for exploitation.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/BW9W8nA9O.6o contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9f44fb6eff248f9f7cefca62e015b983206cea985b6796d5d105b39cf2a661a3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/BW9W8nA9O.6o 939008 bytes
ooxml_oleobject_00_ole10native_00.bin
ad6aa7d5587bb11f02ecec45fa534aa2ab816b472b23dabaaede71896162870e		 ole-package OOXML xl/embeddings/BW9W8nA9O.6o Ole10Native stream: OLE10NATIVe 929215 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.