Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7a8846e654bd1af0…

MALICIOUS

Office (OOXML) / .XLSX

2.17 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: d0bc6065bbdcee1514e59c1599974270 SHA-1: 46f275ee855f7575b805c974d63ef953ac95718d SHA-256: 7a8846e654bd1af0ed539fe5eb9b0aa7c24433f6d649fb1897d8e48a27649483
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object identified as an Equation Editor. This is a high-confidence indicator of malicious intent, as Equation Editor OLE objects are frequently used to exploit vulnerabilities and execute arbitrary code. The embedded object's filename is 'vQ.Xmq'. No document body text or scripts were extracted, but the presence of the OLE object strongly suggests an attempt to exploit a client vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/vQ.Xmq contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
f3a049f90fbf4596a73a82c74f8d999d4d58facea4e78b36060f4896a909460c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/vQ.Xmq 3053056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.