Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8907fd8579d5b71b…

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 16537974e4bccf0e073b0c5a0b7f673d SHA-1: 9129432d3d632495b3d0d18fa7e851c90dce2ad1 SHA-256: 8907fd8579d5b71b847d16778eb33914fd32a8ae789c5e124605f9a09fc2229d
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Office Open XML (OOXML) document identified as malicious. Static analysis revealed an embedded OLE object, specifically an Equation Editor object, which is a known technique for exploiting vulnerabilities to execute arbitrary code. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather to facilitate the exploitation process. The presence of the Equation Editor OLE object strongly indicates an attempt to exploit a client execution vulnerability.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/jXyF6Eh.kjCdB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e31be3ed62adb5773682c39b9d7f735030945988e7742bddd460b58200e644dc		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/jXyF6Eh.kjCdB 3064832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.