Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 939715d5dc9fbbb4…

MALICIOUS

Office (OOXML) / .XLSX

2.29 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000
MD5: fd83d7d744d24e3a4e2e56698d145a19 SHA-1: 3fe57b9bb8701c3d0f1d6ede9c8029bd98a83169 SHA-256: 939715d5dc9fbbb48d7ab2cc5f8bf8b092ee71a0418b112cae6f6b5b9e3b892d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file is an Excel spreadsheet containing an embedded Equation Editor OLE object, a known technique for exploiting vulnerabilities. The document body, while visually dense, suggests a lure to enable content, which is a common tactic for macro-based malware. The presence of the embedded OLE object indicates an attempt to execute code, likely to download and run a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/XTd0EjCXC.qXbBa contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4fb1e0b85d56ad07b727d7fbbaa559328cb5324df86d6cc59848e7d610a5e56c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/XTd0EjCXC.qXbBa 2859520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.