Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e81548c41b95869f…

MALICIOUS

Office (OOXML) / .XLSX

684.3 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-05
MD5: 28a39a6d78220eaa32c48a793323ccd9 SHA-1: 3a7f53ddac31e50b50f44a68b71eb5b5c47d523d SHA-256: e81548c41b95869f19733ffe6463bc9a2ca3998ca49da38862b8b71181b76b5c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object carries a payload-like stream with an anomalous header, suggesting exploitation of the Equation Editor vulnerability (CVE-2017-11882). The presence of a NOP sled further supports the exploitation of a buffer overflow vulnerability. The embedded OLE object is the primary mechanism for delivering the malicious payload.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/jd.6RgK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
d4e6fb6a85118229912ddabf405d4597e1bc541f003ff35b076e71398cb0b13e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/jd.6RgK 974336 bytes
ooxml_oleobject_00_ole10native_00.bin
10456873d332fb4d2953b7f83e1db0acdbe831042b8bea604bb429d573447071		 ole-package OOXML xl/embeddings/jd.6RgK Ole10Native stream: OLe10nATIvE 964099 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.