Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 42efbf74d2446e06…

MALICIOUS

Office (OOXML) / .XLSX

2.06 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: cb086b8df9c53222e9c41ea86189efde SHA-1: 2e0bbceb35a200415c10f0b6e50fad2f2f31feba SHA-256: 42efbf74d2446e06120a6c9e17fa3762e719c88eb040a7fc52030191307a24d8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor object. This is a common technique used to exploit vulnerabilities in the Equation Editor component, often leading to the execution of arbitrary code. The presence of this object strongly suggests an attempt to leverage an exploit for initial access or payload delivery.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/sEbp.lHJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b88f4776486d1a94ce46c25de968f5dbf851cff721baf0a759a8b4739505c4b4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/sEbp.lHJ 2970112 bytes
ooxml_oleobject_00_ole10native_00.bin
60fbd35be8182202384bfdd31ec13f3265ea333bf6d5a48d5fcc9bb8bbd936fc		 ole-package OOXML xl/embeddings/sEbp.lHJ Ole10Native stream: oLE10natIvE 2944221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.