Office (OOXML) / .XLSX malware analysis — malicious · a7b53b1b7a6abd1f

MALICIOUS

Office (OOXML) / .XLSX

2.08 MB Created: 2026-04-24 11:17:50 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2026-06-27

MD5: 64679544e64c2b60d922471939dbd3ab SHA-1: 0bd2bee8e03a6935a986bab2ceb2dddb750bfd70 SHA-256: a7b53b1b7a6abd1f34fde367e96e054927b6ed9a3242bd92610a2feeea3ab082

120 Risk Score

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/sMTez.bfxGn contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/sMTez.bfxGn	2952704 bytes
SHA-256: `47d7612d0d825b6a26cee952353a061b7fc63fb48ed790a909638bcc248723a9`

Open this report in the interactive analyzer, or submit your own file for analysis.