Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 977c5464ffc13300…

MALICIOUS

Office (OOXML) / .XLSX

2.79 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: d9235a17b7229af80f1d00c89dad8d57 SHA-1: 5ea77385cadc5ef1d02d63c093822d3ed6c02c9a SHA-256: 977c5464ffc13300ccb8ca5a6585d154c0307fe637c9d34b65b9338ab88db4d2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for an Equation Editor OLE object indicates a likely exploit attempt. This technique is commonly used to embed malicious code within Office documents, which can then be executed when the object is interacted with, leading to further compromise.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/rQ1LBbH.iIV1Fd contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
3863717492fb4d4b33c2f457712556f7bbfe45aa557b3e57f046961b53382f74		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/rQ1LBbH.iIV1Fd 2830848 bytes
ooxml_oleobject_00_ole10native_00.bin
d474446502c998832150c01f0c6d8fd126b9ca2e8f2f8c8a07c1515da919c1fe		 ole-package OOXML xl/embeddings/rQ1LBbH.iIV1Fd Ole10Native stream: OlE10NATIvE 2806097 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.