Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4ae711a1e1208d10…

MALICIOUS

Office (OOXML) / .XLSX

2.75 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-03-24
MD5: e1c8f7e9dd31ccd5c127aef6a9b9b382 SHA-1: 8f1e4d77f8140d891219d3d3af7d4e7ca7c130ab SHA-256: 4ae711a1e1208d108e32e224700996275872dd9a2213bd32e3ca38a49681f30f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559.001 Component Object Model Hijacking T1027 Obfuscated Files or Information

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. High-severity heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it's designed to exploit vulnerabilities. This pattern is commonly associated with the Equation Editor vulnerability (CVE-2017-11882), which is used to execute arbitrary code. The embedded object's path is 'xl/embeddings/iOn9c19jC.tjhm'.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/iOn9c19jC.tjhm contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8c77fe1608c7c674b54949b5dbfc7e58fb0df69159f71bcd536e3c73095b6d53		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/iOn9c19jC.tjhm 2825728 bytes
ooxml_oleobject_00_ole10native_00.bin
943f1c4fea4c62311cedd0fa82cb9ae192f98726220612faa4ad4428fb452167		 ole-package OOXML xl/embeddings/iOn9c19jC.tjhm Ole10Native stream: oLE10NatIvE 2800763 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.