Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e10e79e5ce889e12…

MALICIOUS

Office (OOXML) / .XLSX

680.3 KB Created: 2021-12-06 14:45:17 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2022-04-07
MD5: bca321866fddc48459319bc976ad6560 SHA-1: c36d6e4f2e9d11753fb8728e7a0abc6cb63bf3c4 SHA-256: e10e79e5ce889e121c8a6e8410f347d2c9654de92ab75ebe1604c759c8d7384f
66 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded Equation Editor OLE object within the XLSX file. This object is frequently exploited to trigger vulnerabilities in Microsoft Office, leading to the execution of arbitrary code. While no specific exploit code or payload was directly extracted, the nature of the embedded object strongly suggests an attempt to leverage an Equation Editor vulnerability for initial access or payload delivery.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/EVSAZB.psdNx3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d210733eed648e880af42f9fb767f5da722c7d0aa098c16bce41d9f1e8c8e166		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/EVSAZB.psdNx3 901632 bytes
ooxml_oleobject_00_ole10native_00.bin
aaf476e497db3201a5fa4b88ed19fd39437bc488eda69e5c4090340ca6f6050d		 ole-package OOXML xl/embeddings/EVSAZB.psdNx3 Ole10Native stream: OLe10nATivE 892157 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.