Office (OOXML) / .XLSX malware analysis — malicious · f3ca53807f32ccbc

MALICIOUS

Office (OOXML) / .XLSX

736.7 KB Created: 2022-08-10 18:51:50 UTC Authoring application: Microsoft Excel 16.0300

MD5: 7c34b23b4b7cb66c2393128c3f55a0e1 SHA-1: 2cf918f985476c7d3988b7d2ac530d32c59de12d SHA-256: f3ca53807f32ccbc241ce2b92d7ab0727cfdf45e3fd88b9e3ac9a063f0aff086

100 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a high-confidence indicator of malicious intent, as Equation Editor is frequently exploited to deliver malware. The presence of a NOP sled further suggests an attempt to bypass security controls. No scripts were extracted, and the document body appears to be legitimate spreadsheet data, indicating the exploit is likely contained within the OLE object itself.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/sZ.aTE8Z contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
NOP sled detected high SC_NOP_SLED

Found 20+ consecutive 0x90 bytes
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `ee54f40389976266d679721708e89ad35d63067a767e59e8d3fa5ffe8bf84e33`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/sZ.aTE8Z	1025536 bytes
`ooxml_oleobject_00_ole10native_00.bin` `c10f9423d424c3b0d8c94e782973bc8cc21579146b943f3b6d9e8bc781de763b`	ole-package	OOXML xl/embeddings/sZ.aTE8Z Ole10Native stream: OLE10naTIve	1015122 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.