Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8cd147a7eb48ce38…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000
MD5: 2e2a6c6d54edc19915b3c3d0a70371fd SHA-1: 01f5a3cacc18cff1afa4033814d64c3a323925c6 SHA-256: 8cd147a7eb48ce38de2f5298a07a96ff8267ce55f2b5a6c991612c69c567812d
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. High and critical heuristics indicate the exploitation of CVE-2017-11882 through a FONT record overflow within this object. This exploit is commonly used to download and execute a second-stage payload. The document body contains garbled text, suggesting it is not intended for direct user interaction but rather to facilitate the exploit.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/wgqP.pXJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
33b7f09fa0d69b6f3064dc1be634dc129ad6227a84939b757bf3d293f5e1c783		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/wgqP.pXJ 2996736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.