Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 65ee2ef8073cd071…

MALICIOUS

Office (OOXML) / .XLSX

3.40 MB Created: 2025-10-08 01:54:00 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-02-03
MD5: cb2e069e1a755acb1cf27ed78e029c3f SHA-1: becc805bfef5793167787beb23f54d8139f4fb64 SHA-256: 65ee2ef8073cd071cba79b4b2fa72a94b2912ab692360eabf32e6e4e9e2165b8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017-11882 indicates the sample leverages a known vulnerability in Microsoft Equation Editor to achieve code execution. The presence of an embedded OLE object, specifically identified as an Equation Editor object, further supports this finding. The exploit likely leads to the execution of a second-stage payload, though no specific details of that payload were extracted.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/1r.rZthQWM contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f716781d7c9efbe90883a1f05edd6a9b845cb651a7db4d5fcffc3bdd187878bf		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/1r.rZthQWM 2987008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.