Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4e2c43f533736d7c…

MALICIOUS

Office (OOXML) / .XLSX

2.00 MB Created: 2025-05-22 22:02:38 UTC Authoring application: Microsoft Excel 12.0000
MD5: c85a5a0f6ccbf61943f9c803ad0ef478 SHA-1: 5ce9b4c21d9db033e6166ae5834b59f69cc98615 SHA-256: 4e2c43f533736d7cdd6c88baaeee33abe8596ffe8ffe1f88e8d8c17b1a6b0adc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object, identified as an Equation Editor object. This technique is commonly used to exploit vulnerabilities or deliver secondary payloads. No specific malware family could be identified from the available evidence.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xQIY.U3a9E contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9f2e805708fb9139a72c7851ce7fb6b8ec764d61da6ab4f8f6277808feab53f0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xQIY.U3a9E 2865152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.