Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e240c03534823e91…

MALICIOUS

Office (OOXML) / .XLSX

706.6 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: bc22cf0175f66010ad47cc3c9221bf51 SHA-1: f13faa702a62518d25d04ebd34094ca11d0ece8c SHA-256: e240c03534823e910d9d7e609c19c344f0e78c9470c820af790b2bbbfffea8ed
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file contains an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution upon opening the document.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/khtt7z7.rRxQt3K contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d60ef7c658a083aa31e5cc3cbd516ae4f318865ed391b153562cc9f0e59c5ec2		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/khtt7z7.rRxQt3K 974848 bytes
ooxml_oleobject_00_ole10native_00.bin
2fc76b9933a8fdc148e209e76cf870fd693fa99b7f8b0566a8f4d05a0565c87e		 ole-package OOXML xl/embeddings/khtt7z7.rRxQt3K Ole10Native stream: OlE10nAtIVe 964915 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.