Office (OOXML) / .XLSX malware analysis — malicious · 27442c5c003af230

MALICIOUS

Office (OOXML) / .XLSX

3.18 MB Created: 2025-10-08 01:54:00 UTC Authoring application: Microsoft Excel 12.0000

MD5: 0c09a3e8cbdad58653eaf67cc9cf5a38 SHA-1: bec53042164bfab95832d7fa40f01027afdc5d60 SHA-256: 27442c5c003af23010f2d4dc3678dcfee80f9cea5ac835ba17d6bead7964dac2

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. It also contains a heuristic firing indicating a lure to enable macros or editing. This suggests the document is designed to trick the user into executing malicious content, likely by exploiting the Equation Editor vulnerability.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/8Y22ioX.vGCB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `903e73dcc90c287d6fa976e6ecefd2fb620feaea9fdaeb8cf9fead4ef45670a0`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/8Y22ioX.vGCB	2925056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.