Office (OOXML) / .XLSX malware analysis — malicious · 1110536da6a39219

MALICIOUS

Office (OOXML) / .XLSX

2.09 MB Created: 2026-05-18 00:25:16 UTC Authoring application: Microsoft Excel 12.0000

MD5: 5217c71d3464b6c4406abc70a5d0e6ae SHA-1: 8021c83b1b07ecb7f9fd08400fbf9e602c6b58e2 SHA-256: 1110536da6a392190d7d05cfbe290b94647abedf2e12dbbd9409f04c63afdeee

60 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an OOXML document containing an embedded OLE object identified as an Equation Editor exploit. This technique is commonly used to achieve arbitrary code execution on the victim's machine. The embedded object's filename is noted as a potential IOC. The exploit likely serves as a dropper for a secondary payload, though no specific details of that payload were extracted.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/DwMwbZD.KfPTNdQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `0321c3a3e0baad7b82dd2091e9d3979e380a04b3d9fc9cc9723a1334b1ec8493`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/DwMwbZD.KfPTNdQ	2982400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.