Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ff40381a1e884c68…

MALICIOUS

Office (OOXML) / .XLSX

661.2 KB Created: 2010-06-04 08:55:28 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2022-06-10
MD5: 56a024758d02a75b7a9f90c462c69eb7 SHA-1: ddc3dc719e3ac70880723a8c5358a49300ccc229 SHA-256: ff40381a1e884c68392a1a524961d7faf7d9be5685ed158d77557e5f6228990a
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1559.001 Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploits that allow for arbitrary code execution. A NOP sled was also detected, further indicating a potential exploit. The document body content appears to be a purchase order, which may serve as a lure for the user to open and interact with the malicious content.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/IcE.ZjEhcK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e2a9cec5162d5c79625a5b0458aa55bea6a31e3c4b7342ba1771adb681c1e3de		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/IcE.ZjEhcK 926720 bytes
ooxml_oleobject_00_ole10native_00.bin
9761f34c8b0ac3ccd69c6b4e1a94c9cd5d70fa7680c28b8f21ca1f115fe77014		 ole-package OOXML xl/embeddings/IcE.ZjEhcK Ole10Native stream: OLE10naTiVE 916550 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.