Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 9f238ad7ee69f9a5…

MALICIOUS

Office (OOXML) / .XLSX

406.7 KB Created: 2024-10-18 16:09:32 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-04-24
MD5: 39e1091865c811de41e96f38609100e6 SHA-1: 98677ae959a73c9526ce62af679b0cf9270f7ae6 SHA-256: 9f238ad7ee69f9a519a3a82b9f90afb5cccc8db46b7b9501d7fe67df90afc9e6
382 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1559.001 Component Object Model Hijacking T1059.005 Visual Basic

The sample is an OOXML document containing VBA macros and an embedded OLE object. The heuristics indicate a high likelihood of exploitation via CVE-2026-21514, leveraging an embedded OLE object that contains an executable payload. The VBA macros and XOR-encoded strings suggest further stages of execution, likely involving API hash resolution and memory protection modifications.

Heuristics 11

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • XOR-encoded strings (key 0x2E) critical SC_XOR_ENCODED
    Found 2 Windows library/API name(s) XOR-encoded with single-byte key 0x2E: 'kernel32.dll', 'LoadLibraryA'
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • PEB access via GS segment (x64) high SC_PEB_ACCESS_X64
    PEB access via GS segment (x64)
  • PEB API-hash resolver high SC_API_HASH_RESOLVER
    PEB access followed by ROR13-style API hashing, a common position-independent shellcode import resolver
  • Ole10Native package carries executable/script file type high OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in an executable or script-capable extension. Even without UI extension spoofing, embedding a runnable payload inside an Office document is a high-risk delivery pattern.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Reference to VirtualProtect API medium SC_STR_VIRTUALPROTECT
    Reference to VirtualProtect API
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://google.com/?id=OTBRV0hhIQ7g

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
868b53274ee207a5c6aa6b985ae921974dde50c0214734b8ac57ec47306b2753		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 406528 bytes
ooxml_oleobject_00_ole10native_00.bin
34bd81ecc57953b74b5bec70b1eec84de6e6faaa892d2034fd0a22cd0374c25a		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 400543 bytes
vbaProject_00.bin
1c6481469e7f58e5a86933302b244fec090a54260d947e10bb25197f06b3dcf2		 vba-project OOXML VBA project: xl/vbaProject.bin 17408 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 86 Chr/ChrW string-construction calls. Carved macro source contains an auto-exec entry point and execution/download terms.
embedded_office_off00001077.ole
1d06ce2d4ad2ac2f919620ccd94000df4aa8da5e8a3df25b7794f62bbf948d6d		 embedded-office Embedded OLE/CFB Office body inside ooxml container at offset 0x1077 412248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.