Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 fb28c90bf59ac469…

MALICIOUS

Office (OOXML)

671.4 KB Created: 2006-09-16 00:00:00 UTC Authoring application: Microsoft Excel 14.0300 First seen: 2021-07-02
MD5: 11b090b2f203f91c59cae23b6de687d6 SHA-1: 6043849a8414a67a4cb4f6512ae41cdf30292e18 SHA-256: fb28c90bf59ac469ac5c10a3076dea0b3c0ac4345b9ed04c0c9520c524eb202a
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous size, suggesting it's not a legitimate equation. The document body contains language related to quotations and procurement, which serves as a lure to encourage opening the embedded object. The presence of an Equation Editor OLE object with a payload strongly suggests exploitation for client execution.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/VlNJRc2v.P0II6y contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/VlNJRc2v.P0II6y 988160 bytes
SHA-256: 1c208873daed67eb72465060e769252f92e8131d2d794c922c2f0144038d97c8
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/VlNJRc2v.P0II6y Ole10Native stream: olE10NAtIVe 977669 bytes
SHA-256: 9a6a6a7f7729c4640050a98be99231cb430e13f1b1fe7c5bc017ef9c0d21125f