Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 deaa89e19742ec70…

MALICIOUS

Office (OOXML) / .XLSX

725.0 KB Created: 2023-08-28 23:37:50 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2023-08-30
MD5: fe1e0a3aa4dbcbef1b4bacccff150b9b SHA-1: b4c9fc09752784bb0b8ad24f02b850121ab9015f SHA-256: deaa89e19742ec702f87db2f0aea535716bea4330c3bef595fd016901735deef
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object identified as an Equation Editor. Heuristics indicate an anomaly in the Ole10Native stream within this object, suggesting it carries a payload. This technique is commonly used to exploit vulnerabilities or deliver second-stage malware.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/XG.FMc2 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
32d96e964ac41f376356038eec187b2270a5b94d77a0604c91308ef22c83bf2a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/XG.FMc2 1045504 bytes
ooxml_oleobject_00_ole10native_00.bin
0c159b6aa464d246bf59833084daaa645fd7625832e38ccb721d4cf0e026190a		 ole-package OOXML xl/embeddings/XG.FMc2 Ole10Native stream: OLe10NATIVe 1034812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.