Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 861af769e34a16be…

MALICIOUS

Office (OOXML) / .XLSX

2.89 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-01-30
MD5: eec6f6bc125e6153ead32b46ac65d744 SHA-1: 0ccd9c44fa0318d700fad87727823aa6ed78853c SHA-256: 861af769e34a16be725fbf0692e3454f9a3243cfaa2bdc0dd7bd646ccb2c0ebf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing for CVE-2017-11882 indicates the exploitation of a known vulnerability in the Equation Editor. This, combined with the presence of an embedded OLE object, strongly suggests the file is designed to execute arbitrary code. The exploitation of the Equation Editor is a common technique for initial execution.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/4pktUXyPd.LK2sb6F contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6954c58af3344b708685d65a8aac6178ed1e5b72d09faf6b047b00252ce05264		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/4pktUXyPd.LK2sb6F 3011072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.