Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e3855e91b03d86cb…

MALICIOUS

Office (OOXML) / .XLSX

592.8 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 5c7c3edd8d039d829a92ae8d82ff3612 SHA-1: b73ad87922aa30301eb34b27ebede06c72e0f867 SHA-256: e3855e91b03d86cbe13ae517dc58dc7e348023fabec73fbc21fa055a52d5b6ed
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel document containing an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver malicious code. The presence of this object strongly suggests an attempt to execute arbitrary code or download a secondary payload. No scripts were extracted, and the document body appears to be tabular data, offering no further clues to the specific intent beyond the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/0Hb7K.br1C contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6c1311deb4fe207990ef89bacb4b1f0370df943e8530926f459fe2367b550ad6		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/0Hb7K.br1C 821760 bytes
ooxml_oleobject_00_ole10native_00.bin
e0f4f0aa7d4ba1cbbc9a8fbe741efe1f98dab5e5e322bc67a79a9674793177d6		 ole-package OOXML xl/embeddings/0Hb7K.br1C Ole10Native stream: oLE10nATive 813000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.