Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9babe4244c7cde4a…

MALICIOUS

Office (OOXML) / .XLSX

2.08 MB Created: 2025-08-06 23:16:59 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-08-09
MD5: 272ae59da8400ed660bc003107686732 SHA-1: 36623e474a65ccabc27a3a1a3d19d9d20e472807 SHA-256: 9babe4244c7cde4a05ad300441c6972cf7c921cc9030e457e35f0d96a3e6aeef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests an attempt to exploit vulnerabilities within the Equation Editor component, a common attack vector. The document body content is obfuscated and does not provide further clues, but the presence of the Equation Editor OLE object is a high-confidence indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/tBCP6XU.9E0ft1x contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
e587567e344c1befa61ed6b6a1c085597162ed4e1e1540167ebd578c43c7b3dc		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/tBCP6XU.9E0ft1x 2894848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.