Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 0ec26c3f3feac54f…

MALICIOUS

Office (OOXML) / .XLSX

2.19 MB Created: 2025-07-23 07:56:53 UTC Authoring application: Microsoft Excel 12.0000
MD5: 0edffdf1439b37c1985d9f9b9539d11a SHA-1: 06e3327121a883205ba673786aca7e2a937c354a SHA-256: 0ec26c3f3feac54fdcd6603f8fb3ce98e99225e5ffa9a52f5266476c3deeca23
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample contains an embedded OLE object identified as an Equation Editor object, which is a known vector for exploiting vulnerabilities like CVE-2017-11882. This exploit allows for arbitrary code execution within the context of the application opening the document. No scripts were extracted, and the document body content is repetitive and likely obfuscated, providing no further clues to the specific payload or intent beyond the exploit itself.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/NSR.uR1GKg7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
a95e456481cf6b5f1da9c9c035b87bda1c1fb643f4eb67c5f4fd26805a4ed281		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/NSR.uR1GKg7 3057664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.