Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 501b5f40d624d5b4…

MALICIOUS

Office (OOXML) / .XLSX

2.85 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: d8ea507fb91755c13880ad2f528fb69a SHA-1: e72b127e7579f25fc556a48f9e31c3d70360f3ac SHA-256: 501b5f40d624d5b4d738d9e9f44bef784f56a64ccfb0c43a8ce713d5566a9119
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office Open XML spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The presence of this object strongly suggests the file is a malicious dropper designed to leverage this exploit.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oGC0QcxYZ.2z contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3a9974a53c64e9813e2cc1265cad08363e43f5cefae293c6bb70b919e2351efa		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oGC0QcxYZ.2z 2969600 bytes
ooxml_oleobject_00_ole10native_00.bin
b663d0944ccb92f3236a99a4e9fecb1211835eef45a1ededd407858baf056224		 ole-package OOXML xl/embeddings/oGC0QcxYZ.2z Ole10Native stream: OLe10natIVe 2943750 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.