Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 86f37c2ef17615be…

MALICIOUS

Office (OOXML) / .XLSX

2.09 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: e457ab59df4508cc44def26b05570880 SHA-1: 29d9bec79db71b710ce7e7a9169bbc83e7033a9a SHA-256: 86f37c2ef17615be493421bc24c2bbff57bda35298bf1f50aeb7b7d95a2b40d9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1559.001 Component Object Model Hijacking

The file is an OOXML document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This type of object is known to be vulnerable to code execution exploits. The presence of the Equation Editor OLE object strongly suggests an attempt to leverage CVE-2017-11882 or a similar vulnerability to achieve arbitrary code execution, likely for downloading and executing a further stage of malware.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xpX7BhYWu.D8ajCon contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
25aac15a27ac0c51a9804b61eee56f45ce2877ac5d02afe703aca9c8dfc9f1b8		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xpX7BhYWu.D8ajCon 3009536 bytes
ooxml_oleobject_00_ole10native_00.bin
f082c84b4f42bc3712241025650b3a0e028272cf662c29d963df4fd12994edac		 ole-package OOXML xl/embeddings/xpX7BhYWu.D8ajCon Ole10Native stream: Ole10nAtIve 2983730 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.