Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8b562a584f5ada7d…

MALICIOUS

Office (OOXML) / .XLSX

2.13 MB Created: 2026-04-16 01:20:20 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-04-21
MD5: 995d8ccbed61212f14514496490a4314 SHA-1: a71a7aff45ef913d00831b36862017862618434a SHA-256: 8b562a584f5ada7d76d8071894ee74b7cd2bcc3d9799c01ae0f3c1df6670d15a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a vulnerability within the Equation Editor component to execute arbitrary code. No document body text or scripts were extracted, limiting further analysis of the payload's intent, but the presence of the Equation Editor exploit is a high-confidence indicator of malicious activity.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/1Wqx.YHA contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
78e1696b186bbe52058f2ef90afebfac3a3404d252b0d411310bbe158df9c072		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/1Wqx.YHA 2966528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.