Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 29cba522cad492f0…

MALICIOUS

Office (OOXML) / .XLSX

2.57 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: bfa233725e57253c8a5b879ad98e3058 SHA-1: 178e601b57619b100cf570869600e322d87c4801 SHA-256: 29cba522cad492f087b7545a1597f174790111764c55d0f59567dcaaed919547
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate a lure to enable macros, a common technique for malware droppers to bypass security measures. The embedded object is the primary indicator of malicious functionality.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wQB.fUQx3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
795e2f8dc22630b9009d7eea78d61042b2fccebdbb5fef03b5fa620ab04f08b5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wQB.fUQx3 3001344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.