Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 2a0e0dca65254651…

MALICIOUS

Office (OOXML) / .XLSX

2.09 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: aec230bca877baf294e901eb20a0c874 SHA-1: 5b87b77feafdf1f547aa8395bc19bcc91a528631 SHA-256: 2a0e0dca65254651de7bb2a2b2ca75d13606464fc9831154c89d0b38824a0050
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities like CVE-2017-11882, which allows for arbitrary code execution. The presence of this object strongly suggests the file is designed to exploit this vulnerability to download and execute a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Fjeoj8.phNFw7E contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c0ab8231267a0e629a0c072fc4180721d838911aef4f0c4aea6aecc5f333aeea		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Fjeoj8.phNFw7E 2917888 bytes
ooxml_oleobject_00_ole10native_00.bin
3a1280674b799dc8203dfaf507fca54108897b18aeac1083653be74b4f37090d		 ole-package OOXML xl/embeddings/Fjeoj8.phNFw7E Ole10Native stream: OLe10NaTIVe 2892769 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.