Office (OOXML) / .XLSX malware analysis — malicious · 3c71e8cf25f1cbbc

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-06-18 02:06:16 UTC Authoring application: Microsoft Excel 12.0000

MD5: 267565e62f4d743b1ba31b765e4ecaf1 SHA-1: 1825382fa09c26d803c1a11ac13564c09a50e518 SHA-256: 3c71e8cf25f1cbbcd85f503680e93d517912be97c783fac607ea99d503cbec69

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter

The file contains an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This is a known vector for exploiting vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The presence of this object strongly suggests an attempt to download and execute a secondary payload. The document body appears to be corrupted or contains non-standard characters, providing no direct clues about the lure, but the exploit vector is clear.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/8zxysE6.JUv4z contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `dc563136a172d6d02ef1b0991dc4b98c944a50bb338d6da85bb925bc52593a7a`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/8zxysE6.JUv4z	2994176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.