Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1945ed9226ac1376…

MALICIOUS

Office (OOXML) / .XLSX

2.83 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 98ce2cb0da36a4716605e103b6fb1699 SHA-1: 4977990cce6ec57445ec8156a4632fda84f233ce SHA-256: 1945ed9226ac1376afb987bebb8d63247f28d684aa90be1989648f5c6903a540
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The high severity heuristic firing confirms the presence of this exploit vector.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/4OC.OI7U contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
458f8b082a263cc3a2227ffdc71ab7fad1c34fd428d515424dcf8e3245a3e2c0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/4OC.OI7U 2898944 bytes
ooxml_oleobject_00_ole10native_00.bin
9eff03ecd0dc3d55e973fd358aa455d69a634c610c0b8bceba547d0af7d42445		 ole-package OOXML xl/embeddings/4OC.OI7U Ole10Native stream: olE10NATIvE 2873551 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.