Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 69b73b47b5d561b5…

MALICIOUS

Office (OOXML) / .XLSX

1.99 MB Created: 2025-04-16 03:58:07 UTC Authoring application: Microsoft Excel 12.0000
MD5: 555deea32690745b955c5fc39c713e46 SHA-1: 0fda9d8784839337f007a0b0122f50e248c1dcbd SHA-256: 69b73b47b5d561b5f35ac3b34e677accd48007c0b465ede94383e7dd64b333aa
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is an Office document that contains an embedded Equation Editor OLE object, which is a known vector for exploiting vulnerabilities. The document body includes a lure instructing the user to 'enable editing' to bypass security settings. The presence of an OLE object with a payload-like Ole10Native stream and a NOP sled strongly suggests it's designed to execute a secondary payload, likely via macro execution.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/UvWzx.SuM4N2V contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1e1db0f413a54c51a8199650b49955c58006bb47f25a1877e01318b7cfdeda76		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/UvWzx.SuM4N2V 2824704 bytes
ooxml_oleobject_00_ole10native_00.bin
cafd0bc02944f8e9281369872a23dbdf497b6739d82d0db5b0a2d2949734e5db		 ole-package OOXML xl/embeddings/UvWzx.SuM4N2V Ole10Native stream: OLe10NATIVE 2799708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.