Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 819634db0c56ed32…

MALICIOUS

Office (OOXML) / .XLSX

2.17 MB Created: 2025-06-18 02:06:16 UTC Authoring application: Microsoft Excel 12.0000
MD5: 27a4a35fbc1e45ebabc0ee7a23004c5c SHA-1: 6e248bc48d406a84442485e5a079c2a06650571c SHA-256: 819634db0c56ed324da2d6de581efb197862f5a71a0df10138719251cf3db4fb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file containing an embedded OLE object, specifically identified as an Equation Editor object. Critical heuristic firings indicate the presence of the CVE-2017-11882 vulnerability, which is known to allow for arbitrary code execution. This exploit is typically used to download and execute a secondary payload.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/dS91FzhF.WVrcps contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
fa869cb6a5e7b0cc98da31564500ba476c98757c749ef2e6220208d3dbb5d8c4		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/dS91FzhF.WVrcps 3000320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.