Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e43f8e91ddc8ad3a…

MALICIOUS

Office (OOXML) / .XLSX

740.1 KB Created: 2024-06-12 09:57:11 UTC Authoring application: Microsoft Excel 12.0000
MD5: 19fec22318eba5e72a3da8078364f676 SHA-1: 0c1bbd6ee6b2c8806d46a4bed97ca26b5d81332f SHA-256: e43f8e91ddc8ad3a4a9081cfd5f4d9ce76e816b7c214dddb5a4386adcf17454f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The file is an OOXML document containing an embedded OLE object, specifically identified as a Equation Editor object. This type of object is known to be vulnerable to code execution exploits. The presence of this object strongly suggests an attempt to leverage the Equation Editor vulnerability (CVE-2017-11882) for initial execution, likely to download and run a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/P24eZgu3.yU contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6c64e43c9af440e91307a786e08821329056ca9b33b35a251fac7be865520584		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/P24eZgu3.yU 1012224 bytes
ooxml_oleobject_00_ole10native_00.bin
af3fc7701702a29edabd9c8a0152e144efb8311f7e5b5a046ae5dcbb2ae7b30d		 ole-package OOXML xl/embeddings/P24eZgu3.yU Ole10Native stream: Ole10Native 1001909 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.