Office (OOXML) / .XLSX malware analysis — malicious · 4fcbc175cffafdff

MALICIOUS

Office (OOXML) / .XLSX

2.01 MB Created: 2025-04-16 03:58:07 UTC Authoring application: Microsoft Excel 12.0000

MD5: cac54520d6b56d0b25177ce1e243d6c5 SHA-1: f29c2b249ac6659965b76670370c510f37b7ec30 SHA-256: 4fcbc175cffafdffd9b32cfbb842f26b6e5998ea4f1475276f4438d6c88c5b5f

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 User Execution: Malicious Link T1566.001 Phishing: Spearphishing Attachment

The sample is an OOXML file that contains an embedded OLE object, specifically identified as an Equation Editor object. The document body contains text that instructs the user to 'click Enable editing', which is a common lure to bypass macro security settings. The presence of the embedded OLE object, combined with the user enablement lure, strongly suggests an attempt to execute malicious content. No scripts were extracted from this sample.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/I9h.ok contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `42b3e807215ef21c832681dc5d109ff0ea9860c08980713aca376f3d282cd2b7`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/I9h.ok	2808320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.