Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6ce2493794a15828…

MALICIOUS

Office (OOXML) / .XLSX

2.17 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: f98c29ab2756c3aa8d948e69670b7959 SHA-1: fc7b47f1d282b5ae6d37096a6e30c02400885cdb SHA-256: 6ce2493794a158287dd9f164031f91159f8ac6b3f1bbc372fa5cdd3623138ed1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristic firings indicate the exploitation of CVE-2017-11882, a known vulnerability used to achieve arbitrary code execution. This suggests the document is designed to exploit this vulnerability to deliver a secondary payload.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Bmhn40.TZBPRK contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3edc79bd327ac6a7a9a09e24777e44277822d69de8cb80392d8646bd3e85b993		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Bmhn40.TZBPRK 3072000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.