Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 8f954b3c35cdcb7d…

MALICIOUS

Office (OOXML) / .XLSX

2.05 MB Created: 2025-05-19 10:24:35 UTC Authoring application: Microsoft Excel 12.0000
MD5: ec8bd91796540fa05e37e3db2896a936 SHA-1: 3865618f8f716b29375535088c80deb044c112c5 SHA-256: 8f954b3c35cdcb7d1f9fd4d7a07fc3e8ac9c491f4021b77543783d5f5f952b2a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an OOXML document containing an embedded OLE object identified as an Equation Editor. This is a high-severity finding and a common technique for exploiting vulnerabilities to execute arbitrary code. The embedded object itself is a large binary file, suggesting it likely contains a malicious payload or exploit code. No specific family could be identified from the available heuristics.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/v9S0ersFd.2K0Hj0t contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
9cdcccb8dcdbe4a6be56ebac8efe77ef555dacc36c986bfd6e7fbbe45e83bd7f		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/v9S0ersFd.2K0Hj0t 2932736 bytes
ooxml_oleobject_00_ole10native_00.bin
efaf4b9a9ef31f2fbfc522ae0dd8e8430ee3b3706adf0ee1e2935f84e4c9c83d		 ole-package OOXML xl/embeddings/v9S0ersFd.2K0Hj0t Ole10Native stream: olE10nAtIve 2907502 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.