Office (OOXML) / .XLSX malware analysis — malicious · 80ca8e844c419a59

MALICIOUS

Office (OOXML) / .XLSX

2.18 MB Created: 2025-08-28 00:09:56 UTC Authoring application: Microsoft Excel 12.0000

MD5: bcfe0e4d1c6e0f4ce90a339d3f443a8f SHA-1: a83759deed0f197573f1e4ec89e6d59111d13217 SHA-256: 80ca8e844c419a59f08e7472126548baead662460d8a84a2790a41855b23958b

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. The presence of the 'SE_ENABLE_LURE' heuristic indicates that the document likely contains content designed to prompt the user to enable macros or editing, a common tactic for macro-based malware. The embedded OLE object is a strong indicator of malicious intent, often used to deliver exploits.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/Vn.gusKI2 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `6eeeab2f1b067658a28a2c4c2f84460448b310ce4c6b968c53ed375998a0bf01`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/Vn.gusKI2	2960384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.