Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4e9f316926f010ba…

MALICIOUS

Office (OOXML) / .XLSX

2.18 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: fc473548d244cde2cbc819170985d456 SHA-1: 19d512204cfd527746c74c60b31406302bd91393 SHA-256: 4e9f316926f010ba7c4ce12fdd78d0749d640d824b4ccf5d747c86e2042b9471
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for OLE_EQUATION_EDITOR indicates the presence of a malicious Equation Editor OLE object within the XLSX file. This is a common technique used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The embedded OLE object is the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3xBBo42KW.7Mo contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1fe5c1fc022ecc3e90d99e1b0d83a7140ba42dbf3c960609f2011acaadeb17cb		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3xBBo42KW.7Mo 3067904 bytes
ooxml_oleobject_00_ole10native_00.bin
a7f2f861d836cb655dfc476a91b9c79b06c5c3f4db5c82ba787e48ce7fe823ba		 ole-package OOXML xl/embeddings/3xBBo42KW.7Mo Ole10Native stream: ole10nAtIVe 3041450 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.