Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 6fb2dfbb2043107e…

MALICIOUS

Office (OOXML) / .XLSX

2.20 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 5725f0733ac0d4f7d9f5e3ef1ef221c8 SHA-1: 066549793ff7b8e91d3093b93cb30fe61b0f83b6 SHA-256: 6fb2dfbb2043107e62085b3cc70008a8ce2b555136a711c8919fc10e5f306a38
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded OLE object identified as an Equation Editor exploit. This technique is commonly used to execute arbitrary code, often leading to the download and execution of a secondary payload. The document body contains seemingly random characters, suggesting it is not intended for direct user interaction but rather to facilitate the exploit.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/nV.AKmt contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
796fdcc41765206aa8c0756a1b7f4653ffdf86fc638b21fec78a2558489894df		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/nV.AKmt 3068928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.