Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a208e1f164fbb33f…

MALICIOUS

Office (OOXML) / .XLSX

2.82 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300 First seen: 2026-01-30
MD5: dbded03f177d5b37be7c24eeed88252a SHA-1: ac7a6781002868a69beadac709fb51964217a241 SHA-256: a208e1f164fbb33f889ff43724c980539f4ca96a23872bb77324f18f294e6a62
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary indicator of maliciousness is the presence of an embedded OLE object identified as an Equation Editor object. This is a common technique used to deliver exploits, such as CVE-2017-11882, which can lead to arbitrary code execution. No scripts were extracted, and the document body was not available for analysis, limiting further insight into the specific payload or delivery mechanism.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/xgW.gklc4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4fcfc4427b3997424e4ca15df942444b06e08e1b6c94e5781253e00a92070d7e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/xgW.gklc4 2881024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.