Office (OOXML) / .XLSX malware analysis — malicious · 4c8b04b8978beb0a

MALICIOUS

Office (OOXML) / .XLSX

2.41 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: 197ebfe415d338f101f20bb8a5ad5314 SHA-1: e0c5cef57591b80607b8e5db673a9647d8a5a576 SHA-256: 4c8b04b8978beb0abcf043349a433ca0b1ba1c0f510fa7263861ed3634a5dca3

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File

The sample is an Excel file containing an embedded OLE object, specifically an Equation Editor object. It also contains a heuristic firing indicating a lure to enable macros or editing, a common tactic for malware droppers. The embedded OLE object is likely a secondary payload or exploit, but its specific nature cannot be determined from the provided evidence.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/Jp.Do contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `4c9a6e83022c07f0a75d94ac221ef912264a026922db88a6ce101669777fe212`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/Jp.Do	2955776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.