Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e8c23747fda094f9…

MALICIOUS

Office (OOXML) / .XLSX

662.3 KB Created: 2023-11-17 18:26:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: a67248c7606ee7823c999b2c48feb094 SHA-1: e9e21eefd175e3a465b582ad9a25d6d59ca7865b SHA-256: e8c23747fda094f9b5be72f5dc54a9a28c61a36f9aa07611e73bc600916b6a2d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object, identified as an Equation Editor object. This is a high-confidence indicator of malicious intent, as Equation Editors are frequently exploited to execute arbitrary code. No scripts were extracted, and the document body contained only numerical data, thus the attack pattern is inferred from the presence of the exploitable OLE object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/6GnK.62YS contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
7de76304a0050645f19607b5ffa2d75a791d1bcf5c670270d54de3ef0f092114		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/6GnK.62YS 938496 bytes
ooxml_oleobject_00_ole10native_00.bin
361d53af4fec5597cf7f87187d0b4ec7da936f5f47d3ac4c5064e764ec8559eb		 ole-package OOXML xl/embeddings/6GnK.62YS Ole10Native stream: Ole10nAtIvE 928544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.