Office (OOXML) / .XLSX malware analysis — malicious · 13afd8d3334906b1

MALICIOUS

Office (OOXML) / .XLSX

2.46 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: 4fedc5e0bb1fc6029756af1fbe7daedd SHA-1: 81edb18843ca26ec66308d1d732938039644905f SHA-256: 13afd8d3334906b1957f352a9fa46ab403e463ef46369020b8166a1477180154

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor exploit. The document body contains a lure instructing the user to enable macros or editing, a common tactic for macro-based malware. The presence of the Equation Editor exploit suggests an attempt to exploit a known vulnerability for code execution.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/YbL8c.VN contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `6c524ca4b93b467c1ddcff90e1a14e1c0656adfb68cf442533ff3993b6d336cb`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/YbL8c.VN	2972160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.