Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 de11db2dd93507ba…

MALICIOUS

Office (OOXML) / .XLSX

660.2 KB Authoring application: Microsoft Excel 12.0000
MD5: 00aa6f149ec6301767eac156b42a0e3b SHA-1: a39a51248047e4494ff6e8a3004533a4a72a79e2 SHA-256: de11db2dd93507ba38cc61d73db40e5bf3399e053fe3804542e3ceff6df6db3d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object identified as an Equation Editor. This is a high-severity finding and a common technique for delivering exploits. The embedded object's CLSID is associated with Equation Editor, which has historically been used to exploit vulnerabilities. No scripts were extracted, and the document body content appears to be legitimate business information, suggesting the maliciousness stems solely from the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/4duu.bHCVY contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0cb45a9205dfcc11ec6d235da0035acdcf7749921eeb230007f1e61f0a6a9a1a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/4duu.bHCVY 932352 bytes
ooxml_oleobject_00_ole10native_00.bin
a09513844bc510b419ff160ed9cd6f32537fac2c34ed595f939a9e2b1311fff4		 ole-package OOXML xl/embeddings/4duu.bHCVY Ole10Native stream: Ole10natIVE 922471 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.