Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f8847e6cfa9d58ce…

MALICIOUS

Office (OOXML) / .XLSX

1.98 MB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-26
MD5: c1521547dea051bd7a007516511fb2ca SHA-1: 2043d9356251df20db257aae03b545450de94a01 SHA-256: f8847e6cfa9d58ce821bca8d28dffabf0217bee958a71d1b1bcffbc44a48487d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object identified as an Equation Editor. This technique is commonly used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The presence of this object strongly suggests the document is a malicious dropper.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/vuTLX.h0sW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4b27b73fa1b2f32b7ecc297cd08a5b0f85b9c0f35e22285091d4c922160c9bc0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/vuTLX.h0sW 2810368 bytes
ooxml_oleobject_00_ole10native_00.bin
c9110a8fd12b7403e4d00c392728058fe500dd54cec15f8ec79195f41fb25014		 ole-package OOXML xl/embeddings/vuTLX.h0sW Ole10Native stream: olE10native 2785887 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.