Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7eb2edc1afdb363b…

MALICIOUS

Office (OOXML) / .XLSX

1.97 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: d458029745ff365b621306bc077cad25 SHA-1: 9011acddbc2282c1a80f0186acd6239586d581e3 SHA-256: 7eb2edc1afdb363bf12a4e313adabaaeec2d859b2e3f567b6a2751099fc59c2d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel file containing an embedded OLE object identified as an Equation Editor. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of malicious code. The presence of the Equation Editor OLE object strongly suggests an exploit delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/EaDBrc.yshJ51 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
940abc649c88038f7be86be5a7852dd90f48ab329cee84cef999d9b9811e2c0f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/EaDBrc.yshJ51 2844160 bytes
ooxml_oleobject_00_ole10native_00.bin
df49117b445115cdf6cb0dc6c3e0af90f393825e07d5c96e9b5e4ef65dfa884b		 ole-package OOXML xl/embeddings/EaDBrc.yshJ51 Ole10Native stream: ole10NAtivE 2819083 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.