Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a3bc10e5669ad4e5…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 6ffdef1892551f1b5dda32bb8c4f377b SHA-1: 01f38ae6fbfcea2ba43dde21b1e67f8346640a5c SHA-256: a3bc10e5669ad4e5b1d18a00c60c3bd5f7cccde69345f4bb70bc404710452c94
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model and Distributed Component Object Model

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to achieve arbitrary code execution. No scripts were extracted, and the document body content is obfuscated and unreadable, but the presence of the Equation Editor OLE object is a high-confidence indicator of exploitation.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/YLqImj.G3 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
eeae091236d55f91d72ba1dd907a52fdfdd7604f9d423aa60a348218c5c84fa8		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/YLqImj.G3 2992128 bytes
ooxml_oleobject_00_ole10native_00.bin
5a6af12af8605a6ffeb97888940ca59d14a1000cadb8cc49874d2977add18b0c		 ole-package OOXML xl/embeddings/YLqImj.G3 Ole10Native stream: OLE10NaTive 2966479 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.