Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9b723f20c0626b06…

MALICIOUS

Office (OOXML) / .XLSX

2.20 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-08-14
MD5: 8206c5729412e768822baf35d88821df SHA-1: 0a7b9fce1a192f1ba82031fbff0cae7a6cfcfd0c SHA-256: 9b723f20c0626b0608d857445002789f6c463d534afe4bdb05b57efd2d7391c7
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Excel document containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently exploited to deliver malicious payloads. The document body contains garbled text, suggesting it is not intended for direct user interaction but rather to facilitate the exploitation of the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/s375srQ86.DhmQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
32b35d7adbc1c81b273de66244e0886a0a58c8bbabee53ba79a779c9bcad8243		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/s375srQ86.DhmQ 3029504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.