Office (OOXML) / .XLSX malware analysis — malicious · 00637520be01be57

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-05-22 22:02:38 UTC Authoring application: Microsoft Excel 12.0000

MD5: 22ca449795946fd9ac57c725d1d5f9f5 SHA-1: 5eea1528bf8dc3d732817dc40a7e5224f26ca8df SHA-256: 00637520be01be57a8704b56c415b967b28c2ea5d58e4e70f2e9009a4767fb03

60 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities in Microsoft Office applications. The document body contains seemingly random text, suggesting it is not intended for direct user interaction but rather to mask the malicious embedded object. The presence of the Equation Editor OLE object is a strong indicator of malicious intent, likely to deliver a second-stage payload.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/TVwT0.0vzCX5S contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `05c2539a2ecf511873b29df532d0a2b0fd4b8f098c2b623e95bec16b882a90ab`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/TVwT0.0vzCX5S	3095552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.