Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0d1be7807b7ac9f5…

MALICIOUS

Office (OOXML) / .XLSX

2.70 MB Created: 2025-09-04 12:51:04 UTC Authoring application: Microsoft Excel 12.0000
MD5: e9c3664186aa0e9762be519224d79d30 SHA-1: 6bc924c54a86dcf949fe820487dba1cb96807383 SHA-256: 0d1be7807b7ac9f58edab01c9fb6582db5c5e1c19a2c33b8d7c61a70c14642c2
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains an embedded OLE object, specifically identified as an Equation Editor object, which is known to be a vector for exploiting vulnerabilities. The 'OLE_EQUATION_EDITOR' and 'OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY' heuristics indicate that this object likely carries a malicious payload. The presence of this exploit suggests the document was likely delivered as a spearphishing attachment, aiming to execute arbitrary code upon opening.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/7Cl.fZmaIW contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.merriam-webster.com/dictionary/encyclopedia

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
82687de15cd21c9a775d8522f9718d817210fb48224d98ffbb4950d32a9d0d95		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/7Cl.fZmaIW 2765312 bytes
ooxml_oleobject_00_ole10native_00.bin
26e17b559ab6be1408a11fe5be3b359cf8a9556e9b79e83270a1908e3abdae42		 ole-package OOXML xl/embeddings/7Cl.fZmaIW Ole10Native stream: oLE10natIVe 2741154 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.