Office (OOXML) / .XLSX malware analysis — malicious · af774cad05af1797

MALICIOUS

Office (OOXML) / .XLSX

2.01 MB Created: 2019-11-27 09:20:57 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-04-30

MD5: 15decba5e71f1b9f7c466aa9b3ec8920 SHA-1: 1c96ad5350ea650c3e4a0f3942db6c917a1a37dd SHA-256: af774cad05af1797046941c01dc310acf266debfbcc17282e03d6c9d72b8fb06

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel spreadsheet containing an embedded OLE object, specifically an Equation Editor object, which is a known vector for exploitation. The document body presents a list of parts and quantities, and a heuristic indicates a lure to enable macros or editing. This suggests the file is designed to exploit vulnerabilities or trick the user into executing malicious code, likely to download a second-stage payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/S7Bnmk.7FHa contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `6a9ee1d8d9be16df2d086fc8934d5daf0c92df8f3c3769bd98984c96df4ef82d`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/S7Bnmk.7FHa	2846720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.