Office (OOXML) / .XLSX malware analysis — malicious · dde326d6bc76918e

MALICIOUS

Office (OOXML) / .XLSX

1.36 MB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 12.0000

MD5: a3d3d217e44e088d422fdf867893b87e SHA-1: cc1f062eb199f88b945fe85238378ee4d9092eea SHA-256: dde326d6bc76918e7c56fc2182b7aef03c4366440becb48227fd05196607d802

110 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059 Command and Scripting Interpreter T1566 Phishing

The file contains an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous size difference, strongly suggesting exploitation of a vulnerability within the Equation Editor. This is a common delivery mechanism for malware.

Heuristics 5

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY

Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Hidden worksheet (hidden) low OOXML_HIDDEN_SHEET

Excel workbook contains 1 hidden sheet(s) — hidden sheets are commonly used to conceal macro code, staging data, or intermediate payload construction
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `db9162914f91d025f9c5ae9ef06f8948f0c2eafbb16ef81234dbb60668f7f686`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject3.bin	29696 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.46, consistent with packed or encrypted content.
`ooxml_oleobject_00_ole10native_00.bin` `d0e65243df358f9ee7948eadb2c9e55da3344dd9a0ee3fcc11d3188c924dc972`	ole-package	OOXML xl/embeddings/oleObject3.bin Ole10Native stream: Ole10Native	28007 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.61, consistent with packed or encrypted content.
`ooxml_oleobject_01.bin` `0c89e9c9a3ff2bc9c11421548a61a170d24b73f30a7ab97753983ab9537267af`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject2.bin	1535488 bytes
`ooxml_oleobject_01_ole10native_00.bin` `f7bfcd2cfafe65360c900b06396fb593106749574e01161bc1df7461e65c0804`	ole-package	OOXML xl/embeddings/oleObject2.bin Ole10Native stream: Ole10Native	1520900 bytes
`ooxml_oleobject_02.bin` `8ef9be6aa199af412048fda0f78f6e0b94599fd29eef95ea05b2d8970c18f49d`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/oleObject1.bin	907776 bytes
`ooxml_oleobject_02_ole10native_00.bin` `ac47759751d5d72141b41b8c29562a75543e51a19c0e1fd06db580730675d3b4`	ole-package	OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10naTIvE	898524 bytes
`emf_00.emf` `072a6a893b25f4848345ae02773b4dd141c43ec598f34f1da6844dabe6ca8a42`	ooxml-emf	OOXML EMF part: xl/media/image2.emf	3042216 bytes
`emf_01.emf` `55a8607ac51f26e3f1dd13cb6aa70f2a4187b46b7c9d1a56ac1d93555807c42b`	ooxml-emf	OOXML EMF part: xl/media/image3.emf	1127736 bytes
`emf_02.emf` `07938911d7f1466e8a619680a677b03898fc9dc29e7825ec148612791d2741d6`	ooxml-emf	OOXML EMF part: xl/media/image4.emf	5376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.