Office (OOXML) / .XLSX malware analysis — malicious · 9fa8c063c903020f

MALICIOUS

Office (OOXML) / .XLSX

2.30 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: da0ee118bfade9cbce5ccf5de2d1dc21 SHA-1: 7f803e0fda9c440874bf9e8e78244670ac12c21a SHA-256: 9fa8c063c903020f379d6626722a9fdcb3c484ba23092091cb3d8ee76e57d16e

80 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious Link: Malicious File T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing via Service

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. The heuristic 'SE_ENABLE_LURE' indicates that the document likely instructs the user to enable macros or content, a common tactic for malware droppers. While no scripts were explicitly extracted, the presence of the embedded OLE object and the lure heuristic strongly suggest the document is designed to facilitate the download and execution of a malicious payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/GE3Crj.wfPt2hb contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `e194de2af7eadd5d916fc9ba1e24a5debd3984c41602cbdb43f572e2edcf4d36`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/GE3Crj.wfPt2hb	2767872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.