Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 85aec5cb1d5c509c…

MALICIOUS

Office (OOXML) / .XLSX

2.17 MB Created: 2025-07-15 00:56:42 UTC Authoring application: Microsoft Excel 12.0000
MD5: a0629ac0390ada8a453ecac3c6240a0c SHA-1: 9f2b837867dd592434ca888d8be285bab17f3cfd SHA-256: 85aec5cb1d5c509c427eb35b23da6a21a9cf49e30610619ebe4ba15dba2287fc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office Open XML (XLSX) file containing an embedded OLE object. The high-severity heuristic firing indicates this object is an Equation Editor, a common component exploited to deliver malware. The embedded OLE object itself is listed as an IOC.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/NhtomCbH.HwpnR contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
750032ec63d173294e2775032964ce4bcd4f5f660dfa8920de9283f1a3f4761b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/NhtomCbH.HwpnR 3077632 bytes
ooxml_oleobject_00_ole10native_00.bin
36de0e5d1b89085b779fade911e73d933dc292224caffb2cd7bf770d25170c93		 ole-package OOXML xl/embeddings/NhtomCbH.HwpnR Ole10Native stream: OLe10nATIVe 3051143 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.