Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f5d4ecb46754581d…

MALICIOUS

Office (OOXML) / .XLSX

614.7 KB Created: 2024-03-25 10:30:17 UTC Authoring application: Microsoft Excel 12.0000
MD5: 7f651efea2c7d7b7b81a705b102ea174 SHA-1: 24dcb37531b9f8c8d917d64af1f41388751bad7a SHA-256: f5d4ecb46754581dda72a594c4edbd534fab3080ebb0d6289d5ac59274d98757
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates a likely exploit attempt. This technique is commonly used to deliver malicious payloads by leveraging vulnerabilities within the Equation Editor component. The embedded OLE object is the primary indicator of compromise.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ZGiQ26.sJf contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e5ebf59422b550e4e8e84700c6bb6c20de5f00415cc40aa2b9df4c5d13ad8d6e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ZGiQ26.sJf 878592 bytes
ooxml_oleobject_00_ole10native_00.bin
583c44874055e347bed4517e9d845c19e9569d26620401b2d696effcfde784e2		 ole-package OOXML xl/embeddings/ZGiQ26.sJf Ole10Native stream: OLE10naTivE 868891 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.