Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 a91b51442765b4f6…

MALICIOUS

Office (OOXML) / .XLSX

2.89 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 00f959e7cd0a01062c16fa73d58e4450 SHA-1: f88a5706701e565985bd6762ea06644886741cf1 SHA-256: a91b51442765b4f6373d4c34d9f4b94c10ec8cc11074463f4811bbf88f25e8cf
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to exploit vulnerabilities in Microsoft Office applications, often leading to the execution of arbitrary code. The embedded OLE object is the most significant indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/YOrsGjj.iupzM contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
497b7eddd457f5e10f419782a6cec7d4d89ce798323d44b68a211cec73f4f6b3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/YOrsGjj.iupzM 3004416 bytes
ooxml_oleobject_00_ole10native_00.bin
6060b3c0414dd2e78e7a4003ed072e775f77f94e36a7113e1766ea43c680864d		 ole-package OOXML xl/embeddings/YOrsGjj.iupzM Ole10Native stream: OLe10NATiVe 2978588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.