Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8b2ca70131280a39…

MALICIOUS

Office (OOXML) / .XLSX

2.82 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 0f2665a2653089588aa4375f8b0242a2 SHA-1: 27c5d8872ba1b69b3ba84c212164a1f5a1db4bfe SHA-256: 8b2ca70131280a39249b5ec202d06ea688419421af4795747cbbe71bd41b7fde
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates a likely exploit attempt. This type of embedded object is commonly used to leverage vulnerabilities in Microsoft Office applications, leading to the execution of arbitrary code. The presence of this object is the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/yYQMbh3V.mRk contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
099b62f73df6d53011864b5f78324731c361dd4ed50bb45276bef19cf37560d7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/yYQMbh3V.mRk 2907648 bytes
ooxml_oleobject_00_ole10native_00.bin
17344943f132ceb6bd75fba5d2d2f4c480d0a7b87c8f6429bcb1e5092d61b954		 ole-package OOXML xl/embeddings/yYQMbh3V.mRk Ole10Native stream: oLE10NaTIvE 2882379 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.