Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1811d41e04a56dd4…

MALICIOUS

Office (OOXML) / .XLSX

2.05 MB Created: 2025-05-19 00:58:37 UTC Authoring application: Microsoft Excel 12.0000
MD5: 22c271d6222f5e0eee5b240cbe709d5c SHA-1: 127a76d31eaa28b0dc7a26d038adf34551e8b4ca SHA-256: 1811d41e04a56dd4677929f55ab8163af516bf7c7eef4c3a80ea14c90a8405f5
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object identified as an Equation Editor exploit. This exploit is likely intended to achieve arbitrary code execution on the victim's system. The document body contains what appears to be garbled text, suggesting it is not intended for direct user interaction but rather to facilitate the exploit.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/7pN8Osp.5Fgx8Wl contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
00ee738af432bdee9e0b8afd43d8d41f033f792d90dbb2493fe8c816bed36065		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/7pN8Osp.5Fgx8Wl 2931200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.