Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b3383f08d89695a1…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-07-23 07:56:53 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-08-06
MD5: 7b7a35de789c63c45f967b6c58109f79 SHA-1: 8b0c9ad0dd0f276580dd760be32fb050fc4fefa1 SHA-256: b3383f08d89695a18ee2e6919c0c1b3f8ba42b81163bb9ecb9914bb0f8beab05
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The file is an Excel document containing an embedded OLE object, specifically identified as a Equation Editor object. This type of object is known to be exploited to deliver malicious payloads. The document body contains repetitive text that appears to be obfuscated or placeholder content, offering no clear lure. The primary indicator of compromise is the path to the embedded OLE object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/e0LNaeF.fCZlg contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
600dc205ff661d910fcd7f062115401f1108a3285457258eff0ecaa3ca01edbc		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/e0LNaeF.fCZlg 3036160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.