Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 48a9788b6e1ecedc…

MALICIOUS

Office (OOXML) / .XLSX

1.96 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-11-11
MD5: 2d4d5a11799cd4b33ba2c17bed87f7ab SHA-1: 8160f47fde59b8fbaa875457cab1ad172240b15d SHA-256: 48a9788b6e1ecedc21bea1062557d940fb77ce2da0f4f347b83e5a7af5ba9fcd
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The critical heuristic firing for CVE-2017-11882 indicates the file exploits a known vulnerability in Microsoft Equation Editor. This is further supported by the high heuristic for an Equation Editor OLE object. The embedded OLE object is the primary mechanism for delivering the exploit, likely leading to arbitrary code execution.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/QR.kU6u0q contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f53e4d02727613948733a9c5094ec655228e022823e17d45d96b9398b390e4e8		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/QR.kU6u0q 2786816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.