Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 dd48f4342236d041…

MALICIOUS

Office (OOXML) / .XLSX

728.0 KB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000
MD5: e56b7a5fcbda197a5d4a0a4110703e04 SHA-1: a42956efe68ba6a5e85d3a549667fb2fdd22af08 SHA-256: dd48f4342236d0418f1c4818d94fea9c2a9a7a7845bc9e5645098b996443510a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The sample is an XLSX file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, strongly suggesting it's a vehicle for exploitation. The presence of an embedded OLE object, particularly the Equation Editor, is a common technique for delivering malicious payloads, often relying on user interaction to trigger execution.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Zx8zv.996Hn contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ad5ff2cbb57f8d98dc41dc751188fdb3f36d71f06efd322d33cc02ca8a231bf2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Zx8zv.996Hn 1064448 bytes
ooxml_oleobject_00_ole10native_00.bin
c714efacf79640ec9f20aa164dd951446754a7c67066a8310dc4a5117725f25e		 ole-package OOXML xl/embeddings/Zx8zv.996Hn Ole10Native stream: oLE10NAtivE 1053222 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.