Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 44a350ee6e92ed6a…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 9fb7d648b5e7fc4d9ef87f9965e2e33d SHA-1: 844c3dcb13cc0e22d5468fb13ecc8b1781904075 SHA-256: 44a350ee6e92ed6aa138eddb00d49ea3cc9bc5f50ac7da4e7a1d6923f97eaf7c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The critical heuristic firing for CVE-2017-11882 indicates the document exploits a known vulnerability in the Equation Editor. This is further supported by the presence of an embedded OLE object. The embedded object's filename is also listed as an IOC. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather to facilitate the exploit.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/X8DwoFF.Fhxur contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
77df1824e7e7a5269d3ffcbb31e63a5decceb681ceaab0d8e87017b47f34945f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/X8DwoFF.Fhxur 2957312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.