Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 5bacabd07b70c4dc…

MALICIOUS

Office (OOXML) / .XLSX

2.84 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: e63e74e3c441a90fe7a05c79e3606ff2 SHA-1: a0541e312f7fb4ff35c2017ebc7c11be15b652c3 SHA-256: 5bacabd07b70c4dc686e620c59947ac31e9ca94c041f4d3ef4bca4baba785eec
140 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. High-severity heuristics indicate that this object carries a payload-like Ole10Native stream with an anomalous header, suggesting exploitation of a vulnerability within the Equation Editor. This typically leads to client-side code execution.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PMKfmBHk.kD contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
bdf461eb242ce96a0a1b25b92e208e5b85abc4789f833a27bb5a8271d947e2b0		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PMKfmBHk.kD 2932736 bytes
ooxml_oleobject_00_ole10native_00.bin
61d2fb106205b6937b7738738aa499a43ba7da7bd2117b2215d88548367c213e		 ole-package OOXML xl/embeddings/PMKfmBHk.kD Ole10Native stream: Ole10NAtIve 2907198 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.