Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b19f1f290f5baf67…

MALICIOUS

Office (OOXML) / .XLSX

2.08 MB Created: 2025-06-24 01:02:13 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-07-01
MD5: 4dd4dfb98ec4fa0a36016e8c599ab351 SHA-1: 1c2d873e6f225ec70d7321494ec2aa4e7ca3f118 SHA-256: b19f1f290f5baf67e4b542fbf778adc04984a55a7f05eb9b1a26adeafeaeece3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This object is known to be exploitable via CVE-2017-11882, which allows for arbitrary code execution. The presence of a NOP sled further suggests an attempt to exploit a buffer overflow vulnerability. The document body content is garbled and does not provide further context on the lure.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/EZ3m36.Nuoy contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
b76881f7cc4530512288247f4a7a5a5d27cf5477136fc51a3e359ee72891d207		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/EZ3m36.Nuoy 2907648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.