Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ef561a4cdb2a47c9…

MALICIOUS

Office (OOXML) / .XLSX

719.4 KB Created: 2024-09-30 12:55:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: 29a10a50eb01fe79324c9cd3dc663941 SHA-1: a36ccbd34c01fed16e27a53751accab681941c5a SHA-256: ef561a4cdb2a47c93a4b84a825c5ef76cbaf89ae3e1d7bef8034c33e0b8a1c03
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities in Microsoft Office applications. The presence of this object strongly suggests an attempt to execute malicious code or exploit a CVE, leading to a malicious verdict. No scripts were extracted, and the document body content is financial in nature and does not directly indicate malicious intent, but the OLE object is a high-confidence indicator.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Ea.ZtoIOp1 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4633ba84c9eef9e6d30fec1b1b8bc1514b0d5a1a01969daac920a9b6c91b5d77		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Ea.ZtoIOp1 949248 bytes
ooxml_oleobject_00_ole10native_00.bin
bc52fcfd788683a9f309a1fd94c21662bf5da4e5629351943e53f2b2e41229e3		 ole-package OOXML xl/embeddings/Ea.ZtoIOp1 Ole10Native stream: OLe10natIVE 939159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.