Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 453f66213a51bfb1…

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: a73802e970ca60f915d851d8ebc033fa SHA-1: 213e5ad4686dae1f616b0986a7ae3aba3208c567 SHA-256: 453f66213a51bfb198cceef9297a81032cdf9237cabb1c49751805401c12ef28
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This object is known to be a vector for exploiting vulnerabilities, such as CVE-2017-11882, to achieve arbitrary code execution. The presence of this object strongly suggests the document is designed to exploit this vulnerability to deliver a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/5bedYW9f.v4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6f69fabc1bfed11f1ec2cb828edc9bc52a8e8438327e7bddb203e4b6ce678d9d		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/5bedYW9f.v4 3055104 bytes
ooxml_oleobject_00_ole10native_00.bin
61591d6842ac95192b1a54c1073b99246aca7cb497d94635b8091e2050418f36		 ole-package OOXML xl/embeddings/5bedYW9f.v4 Ole10Native stream: OlE10NAtIVe 3028843 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.