Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7b975d7f09acb384…

MALICIOUS

Office (OOXML) / .XLSX

2.54 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: 10eb4524be603064924e69cf3ff544a2 SHA-1: 0f2fb702632234617c861505cc252d4cc3098a78 SHA-256: 7b975d7f09acb384de337c3d6b7a97e22e88c92b687d63760dd0c90bf6a18589
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, strongly suggesting it's an exploit. The document also contains a lure to enable macros or editing, a common tactic for malware droppers. The presence of an exploit within an embedded object points to exploitation for client execution, likely delivered via spearphishing.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/IBPgvHP6m.XTTHwOe contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
16435baf5bfb7ddd83af4d97b01ebd112794022cc53208769452f18fdc008a99		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/IBPgvHP6m.XTTHwOe 2944512 bytes
ooxml_oleobject_00_ole10native_00.bin
9de9589a55a4e31c98c9de7a82ad0bcdce8f80a243350feaa39b4300767dc4ac		 ole-package OOXML xl/embeddings/IBPgvHP6m.XTTHwOe Ole10Native stream: ole10nATiVe 2918983 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.