Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 ecd762e9082d64d5…

MALICIOUS

Office (OLE) / .XLSX

1.69 MB
MD5: c7492fae043285a34682c522f01aa76c SHA-1: a6381c74a6ccc0019528793336aef1f139c32712 SHA-256: ecd762e9082d64d5c6d1d8fd7033419ed11d0787f8affaa1813be2914f3ccc70
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The sample is an Office file containing an embedded Equation Editor object, a common vector for exploits. It also contains heuristics indicating a password-protected archive lure, suggesting the user is prompted to decrypt a payload. The SHA256 hash is included as a primary IOC.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
ba468649e054e4b642130bfc9a3fa9b545d4e020b01f9706d9363e0ffc155863		 ole-package OLE Ole10Native stream: oLE10NatiVe 1758310 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.