Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7cc24ced6110feee…

MALICIOUS

Office (OOXML) / .XLSX

2.23 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: 8b9fc4b117993fb07409c612ef45d179 SHA-1: c53e1c93cb50901891f9c60ca6a763adda9f7dbe SHA-256: 7cc24ced6110feee0ecafa9be60597697fe704bd77fe4b029f1ed8e0a1f10d31
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. The document body, though partially truncated and in Afrikaans, contains text that appears to be a lure for special offers, combined with a heuristic indicating a 'macro/content-enable lure'. This suggests the document is designed to trick the user into enabling macros or content, which would then likely execute the embedded OLE object, leading to exploitation.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/s2uGTS.qnU contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0cd9d0dbb747c7299c9b63feae3b449ca182d7b6b27929a3621a935852643680		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/s2uGTS.qnU 3012096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.