Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 1d7fa07f04b44079…

MALICIOUS

Office (OOXML) / .XLSX

2.05 MB Created: 2025-05-15 01:02:55 UTC Authoring application: Microsoft Excel 12.0000
MD5: ce1d57af603f5ec7982ef557b347144a SHA-1: 59bff354e2a80ab375ed5cb0f1d18fcfbca02a3f SHA-256: 1d7fa07f04b4407965516b3c1af2062b717b9e32c63c680e7eac081109ca3983
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The file is an Office (OOXML) XLSX document containing an embedded OLE object, specifically an Equation Editor object. High and critical severity heuristics indicate the exploitation of CVE-2017-11882 through a FONT record overflow within the Equation Editor. This vulnerability allows for arbitrary code execution, suggesting the document is a malicious lure designed to exploit this known vulnerability.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/CGKda.sntg3ut contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
cd143222e6a3d2fe5b30f7af5e25cd451ead84a55d14a33284d394b1b643f7c1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/CGKda.sntg3ut 2938880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.