Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ee7b73b6efb20119…

MALICIOUS

Office (OOXML) / .XLSX

701.9 KB Created: 2023-08-03 11:34:29 UTC Authoring application: Microsoft Excel 16.0300
MD5: 56f3ea41f0819ba9485d1092819cc813 SHA-1: ed32a5599ee02fa9a6f2156ea6f2a8d8b26c20c3 SHA-256: ee7b73b6efb201197fa55636c90b8283e90095c2c2c948daa44cd5fa5a0cb43a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This is a common technique used to deliver exploits, such as CVE-2017-11882, which can lead to arbitrary code execution. The presence of this object strongly suggests an attempt to leverage this vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/TwZruc.YJB55MN contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f3615d07b0a0a5f696e6db7e7fe3ab97665374c840aec0326ea822b337810f1d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/TwZruc.YJB55MN 965632 bytes
ooxml_oleobject_00_ole10native_00.bin
26d24761b7e7bd040bd45d09d9234e423cca7ce3c6da51fdc9bb16b72f2fad0b		 ole-package OOXML xl/embeddings/TwZruc.YJB55MN Ole10Native stream: oLe10nATIVe 955530 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.