Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1d09ae68dfe88535…

MALICIOUS

Office (OOXML) / .XLSX

2.19 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 086ef92abbc08a52a075f0c3b249a09b SHA-1: e317554ed995deb7b45b55c643e455cb8f665832 SHA-256: 1d09ae68dfe8853502eff3b310b2bdbdb00831b2226e1f219ca2674109bf3898
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of arbitrary code. The embedded OLE object is the most significant indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/K5ZqwJt24.ZD contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f5a69eb0914b06054f2a7aff8cef82c38acce3ce52fd552b677233252a511a05		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/K5ZqwJt24.ZD 3089408 bytes
ooxml_oleobject_00_ole10native_00.bin
6b4617abb49e7035514468babb2b877f03a89ceb9dc162f530a067a013b60283		 ole-package OOXML xl/embeddings/K5ZqwJt24.ZD Ole10Native stream: Ole10nAtIvE 3062486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.