Office (OOXML) / .XLSX malware analysis — malicious · 8a93756d5216c939

MALICIOUS

Office (OOXML) / .XLSX

2.00 MB Created: 2026-04-16 01:20:20 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-04-16

MD5: 75b0c196d50da3823da63afe313529b8 SHA-1: 90f2787873bfa360790020f0edf8b92abc327ee7 SHA-256: 8a93756d5216c93984b74f02f27b5c434dc8535492cf5c1d477a742af374435d

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution. No document body text or scripts were extracted, limiting further analysis of the payload, but the presence of the vulnerable OLE object is a high-confidence indicator of malicious intent.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/32bTZt0Wr.15dQi4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `7871daf34fe9dba3eefcc4bf201af97cdcb360f213f71458d8e4a07f3bd553d0`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/32bTZt0Wr.15dQi4	2874368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.