Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 343549fe3279afcc…

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 615dbb9f9cba2bc61f538904c3227cd5 SHA-1: bf8b13f3788ff0d379e89f344895b4f8c1ad7969 SHA-256: 343549fe3279afcc36be2ffcc9ff86130ea35dceba23f29d329da479558a01c8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical heuristic firing for CVE-2017-11882 indicates that the document exploits a known vulnerability in Microsoft Equation Editor. This vulnerability allows for arbitrary code execution, which is the primary mechanism for this attack. The embedded OLE object is the vector for this exploit. The document body content is not directly indicative of a specific lure, but the exploit itself is the main finding.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/vH6t.6pFOB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2f17b0539bce610e3c69ffa22d2351d1a34ca389f9740aa573e1159851307a21		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/vH6t.6pFOB 3027456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.