Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a43991cafa5908e6…

MALICIOUS

Office (OOXML) / .XLSX

2.18 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000
MD5: 0c70867dac9c72021beaf1e0516d0894 SHA-1: d783665bfbff5c41a0dee38c75d71f4665369320 SHA-256: a43991cafa5908e6e624916b3e7adf644774f9c48268780e379df6897c4a140e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common technique for exploiting vulnerabilities to execute arbitrary code. The embedded object's filename is 'nNdnkyj2.kOT'. The document body contains what appears to be garbled text, likely due to the nature of the embedded object or obfuscation, and does not provide direct clues about the lure.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/nNdnkyj2.kOT contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
93ccaec9bbe515d71e8c76cc36a26e8916a0dbe0c2d11859d546179dda340921		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/nNdnkyj2.kOT 3078144 bytes
ooxml_oleobject_00_ole10native_00.bin
bf2ad09ac91645f0452522b3957374bec52ffc495216de6bbbfa43237c36e223		 ole-package OOXML xl/embeddings/nNdnkyj2.kOT Ole10Native stream: olE10NATIVE 3051813 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.