Office (OOXML) / .XLSX malware analysis — malicious · 2359780fed09ce45

MALICIOUS

Office (OOXML) / .XLSX

2.20 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000

MD5: 2f45099b436b2dfb5aa6d65a673821c3 SHA-1: 2309cfde425ab7dd0d7e24ca326752b0914aad99 SHA-256: 2359780fed09ce455012bfd75bd9a0498d11de111943fbcda8906334674d25b0

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing indicates exploitation of CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. This vulnerability is typically leveraged to execute arbitrary code, often to download and run a secondary payload. The presence of an embedded OLE object further supports this attack vector.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/dwp9zvy.Cc6qpF contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `3b7dd3d23b618bcbb9cc3a0498bf5f6704569363f04ca8d27c1b7b405326fd8d`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/dwp9zvy.Cc6qpF	3071488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.