Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f4de8efcde8c6243…

MALICIOUS

Office (OOXML) / .XLSX

673.4 KB Created: 2021-05-01 06:27:50 UTC Authoring application: Microsoft Excel 16.0300
MD5: 2413c7e8b5523309ad7f177775fdfeaa SHA-1: 9a84d65dd0f7569ad0727426f87a1c9e24c340d6 SHA-256: f4de8efcde8c6243d63d9d1645718a92a67d2c980e41106c4f4a432700bc4086
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an XLSX document containing an embedded OLE object identified as an Equation Editor. This object exhibits an anomalous Ole10Native stream, indicating it likely carries a malicious payload. The presence of this anomalous object strongly suggests an attempt to exploit vulnerabilities or deliver malware through a seemingly legitimate document.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ka9.FB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — context-specific rules above attribute URLs they actually evaluated; this rule lists URLs that were present in the bytes but were not otherwise tied to a specific finding.
    URL http://schemas.openxmlformats.org/spreadsheetml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/relationships
    • http://schemas.openxmlformats.org/markup-compatibility/2006
    • http://schemas.microsoft.com/office/spreadsheetml/2009/9/ac
    • http://schemas.microsoft.com/office/spreadsheetml/2014/revision
    • http://schemas.microsoft.com/office/spreadsheetml/2015/revision2
    • http://schemas.microsoft.com/office/spreadsheetml/2016/revision3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8d93f86ee1b699b6d29113e4d7e5caf28dbd9680889d7a8ea26079ddea10eae1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ka9.FB 913408 bytes
ooxml_oleobject_00_ole10native_00.bin
2524e3ee3370f8e187ac0c62d037222ef0a467740424ce9ea224d02a5fbe7780		 ole-package OOXML xl/embeddings/ka9.FB Ole10Native stream: oLe10natiVE 904090 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.