Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 fb515d3ef8a4e4a4…

MALICIOUS

Office (OOXML) / .XLSX

711.0 KB Created: 2023-09-27 08:05:40 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2023-10-05
MD5: 83eeefabbffbd97d45782f55dd6ed246 SHA-1: 7b0e6024cedb9ac7a460b2971ad74d9e5db52d92 SHA-256: fb515d3ef8a4e4a47487b5107d5cbc343a74cd56432e00473d6027f700f9f971
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file contains an embedded OLE object, specifically identified as an Equation Editor. Heuristics indicate an anomaly in the Ole10Native stream within this object, suggesting it carries a payload. The unusually large declared inner size compared to the stream size points to potential exploitation or data manipulation within the OLE object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/KJvYhsT.LV9wm contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
ce510329e29a8521d55797d7e40429c517a468468c4c38589283ce26d4096021		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/KJvYhsT.LV9wm 1029120 bytes
ooxml_oleobject_00_ole10native_00.bin
26173805be4ec8997c7b0532e6649ba6d534bb3c8c9947c2884f1a91a5db4901		 ole-package OOXML xl/embeddings/KJvYhsT.LV9wm Ole10Native stream: oLE10NATIVe 1018454 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.