Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 863746b182956506…

MALICIOUS

Office (OOXML) / .XLSX

2.20 MB Created: 2025-07-23 07:56:53 UTC Authoring application: Microsoft Excel 12.0000
MD5: db9e95851f58a0ce7754e82685800a25 SHA-1: c035af213747de9660ea7732f0b6e2be741f140c SHA-256: 863746b1829565063a85efd58f469a3ce53247fc37d644399715bbd7891fcd33
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The high-severity heuristic firing for 'Equation Editor OLE object' indicates the presence of a known exploit vector within an embedded OLE object. This strongly suggests the file is designed to leverage this vulnerability to execute arbitrary code. No document body or scripts were extracted, limiting further analysis of the specific payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/rN30AsW.m2SF contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1d586ff0a97efc69551886dcca4ceaac04088b7e3180420cc9b92a3b6b54ca3e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/rN30AsW.m2SF 3026944 bytes
ooxml_oleobject_00_ole10native_00.bin
98244d63d32cc97d57332785d3f6039fc8097ee316c9e7deab76f01e8c295ac0		 ole-package OOXML xl/embeddings/rN30AsW.m2SF Ole10Native stream: oLE10NaTIVe 3000542 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.