Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 09cc64b918ae9fcc…

MALICIOUS

Office (OOXML) / .XLSX

2.57 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: 3c3a30c77d78e9a6141117da528fe013 SHA-1: 329b75b1d1beb471bfce9e16a4bf648c3bad277c SHA-256: 09cc64b918ae9fcc7eb855e7a72e595145648adb4eac466750f072146ea0a813
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor exploit. The document body, though partially truncated and in Afrikaans, contains text that appears to be a lure ('BESONDERHEDE VIR HIERDIE MAAND' - 'Special details for this month') and instructs the user to enable content, which is a common tactic for macro-based malware. The presence of the Equation Editor OLE object strongly suggests exploitation for client execution.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PFS4.tFscP contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cf43a490d13f88b4a4aa6a6f07713cabffe35ea0b1e6bab87849f6cb6fd37710		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PFS4.tFscP 3004928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.