Office (OOXML) / .XLSX malware analysis — malicious · 949ef24e9fac3f1d

MALICIOUS

Office (OOXML) / .XLSX

2.18 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000

MD5: 63822c1a90f5e54e19df5a234a35848a SHA-1: 7c920f2c0393d35f8872909429e95d76e3d8e888 SHA-256: 949ef24e9fac3f1dea3b24d31618ae90f2ea9a53c595b176115bc9887250d42f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is an Excel document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate a critical vulnerability, CVE-2017-11882, which is a FONT record overflow exploit. This exploit is commonly used to achieve arbitrary code execution, likely to download and execute a second-stage payload. No scripts were extracted, but the presence of the Equation Editor exploit strongly suggests an attack pattern aimed at exploiting this vulnerability for initial access.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/I7ZRN.xT contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `18701ac87cf969aded1b5a352314aadd6e3b60f38109b80d25762f159ad0b8e5`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/I7ZRN.xT	3021312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.