Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ffa06b4d4e2bb750…

MALICIOUS

Office (OOXML) / .XLSX

12.1 KB Created: 2018-03-14 13:56:47 UTC Authoring application: Microsoft Excel 15.0300
MD5: 588e113279fe1c46dc426fb015564516 SHA-1: 26688184627dd0c53f1144b7300abe70cf37d164 SHA-256: ffa06b4d4e2bb7501c6d1cfbc01b8678aaf33e44dce76eeda2881ec17a5a8bac
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The file is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate the presence of CVE-2018-0798, an anomaly in the Equation Editor's native stream, which is a known vulnerability exploited for arbitrary code execution. The document body appears to be form-like data, suggesting a lure to entice the user to open and interact with the malicious embedded object. No scripts were extracted, and no direct IOCs like URLs or hashes were found within the provided evidence.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • CVE-2018-0798 — anomalous Equation Editor native stream high CVE likely CVE_2018_0798_EQUATION_NATIVE_ANOMALY
    Embedded Equation Editor OLE data contains anomalous native stream bytes consistent with a CVE-2018-0798-style Equation Editor exploit. This is treated as likely CVE evidence because the Equation object is malformed and payload-like, but it does not match the exact public matrix-overflow byte signature.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e841b02766dd7d9da66c25adb7d62823b009cf8826892f609270bdfbfffb6f2f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3584 bytes
ooxml_oleobject_00_ole10native_00.bin
c2fb7e08c37e615c6fe6c322be65ff6494f67aaf9c9008d1bcacfe522796cd3f		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: OLE10NatIvE 1531 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.