Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 17df9d1e9c050d8b…

MALICIOUS

Office (OOXML) / .XLSX

3.12 MB Created: 2025-10-08 01:54:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-02-23
MD5: 5a82b3d37d2a795712bc8010b84da737 SHA-1: 31a2a69107cbf88d65520c1b58d5b8fc0d981dc5 SHA-256: 17df9d1e9c050d8bf9ec13718baf042e0d71fecaf6d76076bf09294fad84f35a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an OOXML file containing an embedded OLE object identified as an Equation Editor. This technique is commonly used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The presence of this object strongly suggests an attempt to deliver a malicious payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/STZoesd06.rt9jcx9 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
390228e337790f9dcbfa7ba509199d86f37f6c74832e875f9d35862dc4b35361		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/STZoesd06.rt9jcx9 2751488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.