Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 4f352c1b777eb35b…

MALICIOUS

Office (OOXML) / .XLSX

2.08 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: 1fde54cd1c1f84d71577ec6b2cde120d SHA-1: d6bab1af3fe3881a705fe959b084403601cde42f SHA-256: 4f352c1b777eb35bc6b5e31570158e8d6d7d32a9ddbb9b5bab468eaee266468b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The high-severity heuristic 'OLE_EQUATION_EDITOR' indicates the presence of a vulnerable Equation Editor OLE object within the XLSX file. This object is commonly used to exploit CVE-2017-11882, allowing for arbitrary code execution upon opening the document. The embedded OLE object is the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/pmRm.xZgiv64 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5706d7e1a6108d2ce7e5a0b6ca37fead99f877bdf49f82fdac8ffb1a5326e9ca		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/pmRm.xZgiv64 2923520 bytes
ooxml_oleobject_00_ole10native_00.bin
c4f27eb1e259162bd7757fbfa4b75ccfc12c1b6e5b948eef14cb358bdf66f428		 ole-package OOXML xl/embeddings/pmRm.xZgiv64 Ole10Native stream: oLE10nAtiVE 2898379 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.