Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 7ebcb6d59b8c7f8e…

MALICIOUS

Office (OOXML) / .XLSX

2.96 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 6b046fb7d93dc99f4d95e3f06e2387e3 SHA-1: e82bb8f77ecc797e8d68c4a9519ca7cc7bae423d SHA-256: 7ebcb6d59b8c7f8e3054627de644e0df38d550b9beecc25f1c5fc7c69f6a877f
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates a likely exploit attempt. This object is often used to deliver malicious payloads by exploiting vulnerabilities within the Equation Editor component. No further IOCs or script content were extracted to provide more specific details on the payload or delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/lo.pCAm contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
644daf8f4be71588979f6208f97b7490b3a56b812e4e3689405c29e99bd07602		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/lo.pCAm 3060736 bytes
ooxml_oleobject_00_ole10native_00.bin
7fab6c4ed0103e2ea66630909a117afff807096f6c72b78c2680223128a7f50b		 ole-package OOXML xl/embeddings/lo.pCAm Ole10Native stream: ole10NaTiVE 3034595 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.