Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e1890dc28d56e185…

MALICIOUS

Office (OOXML) / .XLSX

742.4 KB Created: 2023-08-07 12:44:21 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-08-08
MD5: 4178c9328d164a6171ddccb870875306 SHA-1: b2001909b10fe86fb9dc1378ee4ab8e3c2751e4c SHA-256: e1890dc28d56e185e93a37e7a7ffc30c6a681f45f37cd366e4964643333c1983
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model and Distributed Component Object Model: Component Object Model

The XLSX file contains an embedded OLE object identified as an Equation Editor. This object exhibits an anomaly where the Ole10Native stream size is significantly larger than the declared inner size, indicating it likely carries a malicious payload. The presence of this anomalous OLE object suggests the file is designed to exploit vulnerabilities or deliver malware through this embedded component.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6dapfhQ.oCLnh contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1b02b38eed26e2fd8c348aece7488c85292247d2acfeccfd2720b7f6fd34edcd		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6dapfhQ.oCLnh 1016320 bytes
ooxml_oleobject_00_ole10native_00.bin
baf31ce29e84588bd26d8728ea7d5796fc2e01010ce4b839c5f1c8971aa3663c		 ole-package OOXML xl/embeddings/6dapfhQ.oCLnh Ole10Native stream: oLe10nAtiVE 1005778 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.