Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a34a4f4305ea71fc…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-07-15 00:56:42 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-07-16
MD5: 1f011536d5b9264ab33e867ef604bbf5 SHA-1: 126cbe6213c3b899540b2de4226191b077a431c0 SHA-256: a34a4f4305ea71fca6b223dff4e32ede46bd8f52c099de1588fff90ced20f76f
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor exploit. The OLE object's Ole10Native stream exhibits anomalies, indicating it carries a payload. The document body contains what appears to be a list of items with quantities, potentially a lure to encourage opening the embedded object.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/J12Vjfj.yostQT7 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
4647b60312e4e96e25db878410fa9bd48287624110680bb7d343573e8f3cb49e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/J12Vjfj.yostQT7 3013632 bytes
ooxml_oleobject_00_ole10native_00.bin
5081ebe3f56d836ccc7b0395a2da0c9613b3fb774dbeebaaa448bf29e4d0bd4e		 ole-package OOXML xl/embeddings/J12Vjfj.yostQT7 Ole10Native stream: ole10NatiVE 2987529 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.