Office (OOXML) / .XLSX malware analysis — malicious · 2e41e81c5b5a0aad

MALICIOUS

Office (OOXML) / .XLSX

2.12 MB Created: 2025-05-22 22:02:38 UTC Authoring application: Microsoft Excel 12.0000

MD5: e1f5063af530ef937f68cc3f0dd16889 SHA-1: dc840eb91c64baac21f0aa3fb9b0e0a6ddb659ca SHA-256: 2e41e81c5b5a0aadd477d0124b0e6c197fc7f7aa4b26f5609b0762c4e04f144f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The file is an Office document containing an embedded OLE object, identified as an Equation Editor object. This is a common technique for exploiting vulnerabilities to execute arbitrary code. The embedded object's filename 'YoR.nYznOFj' is listed as an IOC. The document body contains a large amount of seemingly random characters, suggesting it may be obfuscated or contain embedded data rather than user-readable content.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/YoR.nYznOFj contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `9903861cb231296123d4d9498c167a119a691e8585e738f7f36eafbcd83839e8`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/YoR.nYznOFj	3051008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.