Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a4e83e555835ac72…

MALICIOUS

Office (OOXML) / .XLSX

2.76 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 1f4bfcdddc18f012dae82283df085c29 SHA-1: beeeb02cf7ba55663b54e1e529a83e37424f64ca SHA-256: a4e83e555835ac72787a90ca86190a6b56149dab10810a2dcacbeef94c58ddbb
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559 Component Object Model and Distributed Component Object Model T1559.001 Component Object Model

The file is an Excel spreadsheet containing an embedded OLE object identified as an Equation Editor. This is a common method for exploiting vulnerabilities in the Equation Editor component to execute arbitrary code. The presence of this object strongly suggests an attempt to deliver a malicious payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/5Uexr.5EObcV contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
1ca0c8b47974a311456b046b817f15e1beb4549da7be807ce03bd9c812a94252		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/5Uexr.5EObcV 2813440 bytes
ooxml_oleobject_00_ole10native_00.bin
13e9e013c18171947a45d7589009a7f7565d4c4c5bcdeb58252efbe6959a6349		 ole-package OOXML xl/embeddings/5Uexr.5EObcV Ole10Native stream: olE10nATiVE 2789168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.