Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 63236ee2d8d6d139…

MALICIOUS

Office (OOXML) / .XLSX

2.40 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: e8e4bc6a2fed5ae5c20abea0f4290352 SHA-1: e7b0d68e07a5935c60dff49f6624495f743dfacd SHA-256: 63236ee2d8d6d1397e2c338172f9893de9e15652569d336d9aaf6b89f7af5ae1
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor exploit. The document body, though partially truncated, contains text suggesting a business or financial context, and the 'SE_ENABLE_LURE' heuristic indicates the document likely prompts the user to enable macros. This combination strongly suggests a macro-based attack leveraging the Equation Editor vulnerability to execute malicious code.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/PPR0E2Yn.VPmMnK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
de888b594c38526ed18663b4e95cf7d37b2ccebdf6b2dca937869170a3802ac1		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/PPR0E2Yn.VPmMnK 2922496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.