Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 061efa86d7be95a4…

MALICIOUS

Office (OOXML) / .XLSX

3.26 MB Created: 2025-10-08 01:54:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: c633136d339d5072448bcdb9c5dc1db9 SHA-1: 7188ad89ecdd514a41224d2a13cc0cddc4f339df SHA-256: 061efa86d7be95a4deffd9d3e6d8fbba2287a0f24154e72518aee0d3a7c90ed4
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firing for CVE-2017-11882 indicates the file exploits a known vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution when the embedded OLE object is activated. The presence of an embedded OLE object and the specific CVE exploit strongly suggest a malicious intent to compromise the user's system.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/vu.6eUfO6J contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a200a4aaf76f0388e7dfb9cdf230ae04274cd4cf4f93bfd9d80371a80f7ef59a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/vu.6eUfO6J 3034112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.