Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e7197df49081e219…

MALICIOUS

Office (OOXML) / .XLSX

709.2 KB Created: 2020-08-20 17:59:18 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2022-08-17
MD5: 4b3ddefdbe012704bc59262598297923 SHA-1: 5b22f2117a71e9d935588a4775f0370a6c1ba781 SHA-256: e7197df49081e219d173209f69cad6e2969fd2c02fba568c42befd9247365c54
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The file is an Excel document containing an embedded OLE object, specifically an Equation Editor object. This object has an anomalous Ole10Native stream, indicating it likely carries a payload. The document body contains text resembling invoices and payment details, serving as a lure to encourage interaction with the embedded object. The presence of these indicators strongly suggests the file is designed to deliver a secondary malicious payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Wv.4Jjx3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
050ea81f0d977bc1afcff394a6d7f0cff06f0ed59d86274d5b7e286c849b5577		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Wv.4Jjx3 870400 bytes
ooxml_oleobject_00_ole10native_00.bin
2b6e5241964ad3d261723d3011e4c7fc7e47a26983144b1d3d6a68610e919925		 ole-package OOXML xl/embeddings/Wv.4Jjx3 Ole10Native stream: Ole10NatiVE 861045 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.