Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7bdc9b08d8e99d82…

MALICIOUS

Office (OOXML) / .XLSX

3.05 MB Created: 2025-10-08 01:54:00 UTC Authoring application: Microsoft Excel 12.0000
MD5: 0b14826f4949f024ba538c1a16620ce1 SHA-1: a2ba218a7556fcca1f675c8aa91612f0eaf40444 SHA-256: 7bdc9b08d8e99d82729dd9ac47f1ca8007547361827a72e53374ec8b56942747
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object identified as an Equation Editor object. This type of object is frequently used to exploit vulnerabilities, such as CVE-2017-11882, to achieve arbitrary code execution within the context of the application opening the document. The presence of this object strongly suggests an attempt to exploit the user's software.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/oZEmB.aqr contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
8dc5d451848aa2ecab9d18df23d3ee90a5eb00794674e4087df77e7c3347ce53		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oZEmB.aqr 3078656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.