Office (OOXML) / .XLSX malware analysis — malicious · 4fe60a82350a24cc

MALICIOUS

Office (OOXML) / .XLSX

2.20 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000

MD5: 3938a2cd33618aa0c5efd36c72b94850 SHA-1: 8c5ad25a590327ca507afa9d0db146dca7c378d6 SHA-256: 4fe60a82350a24cc0bfeb1a9df86a751cec9b7307035f90b0a08959a16a1fc7c

60 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object has historically been used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The presence of this object strongly suggests an attack pattern aimed at exploiting this vulnerability for initial access. No scripts were extracted, and the document body was heavily obfuscated and truncated, limiting further analysis of the payload's intent.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/wB.WOQMg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `ed7804053f6256f1a257b28e4ca2b1e3b87d9208bf4453b08a70e35edb6e2414`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/wB.WOQMg	3037696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.