Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 728d4b18515d35ce…

MALICIOUS

Office (OOXML) / .XLSX

2.37 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: bb44a45be5012cfa3f6ed135511ac968 SHA-1: c82166f74a9b07b8324e61150b820c9cf9e9d287 SHA-256: 728d4b18515d35ce8207f001ad9c8331ddce260d7ae995656faefaecce30f3c3
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate this object carries a payload-like stream with an anomalous header, suggesting it's designed to exploit a vulnerability. The document also contains a lure to enable macros or editing, which is a common tactic for malware droppers.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lKgqKzk.ik0e4dg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
5388ef3bed638fc8ef3b79fbdaf52c190c2cbdf281c46c80f1e713e99ad62379		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lKgqKzk.ik0e4dg 3022848 bytes
ooxml_oleobject_00_ole10native_00.bin
96748bc31a905a39b163a7aab7a4fd56129bae4771564e20487987d0d201d6ad		 ole-package OOXML xl/embeddings/lKgqKzk.ik0e4dg Ole10Native stream: ole10nAtivE 2996482 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.