Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b5680069a7dad8a4…

MALICIOUS

Office (OOXML) / .XLSX

2.43 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-09-12
MD5: 851d05c430dc045faac47351c5a1b47f SHA-1: a7a8ad3cd950969ac2d32b3266b53104406a172d SHA-256: b5680069a7dad8a4c28c7829729a16ac9aed703885de85b7b54ae926e9d877e4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. The document body contains text in Afrikaans that appears to be a list of items, likely intended as a lure to encourage users to enable content. The heuristic 'SE_ENABLE_LURE' confirms this, indicating the document instructs the user to enable macros or editing. This suggests the document is designed to bypass Office macro security and execute a malicious payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9DPUU.nZ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2eb298b930cf1c1951ffeceb4515bf3695d6e24d32f8da3e623c4d3f48969d1c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9DPUU.nZ 2951168 bytes
ooxml_oleobject_00_ole10native_00.bin
8daf92c1165f39ece410fcd484d475a24b2d86ff23ee56efb5ba8fd7c82b3208		 ole-package OOXML xl/embeddings/9DPUU.nZ Ole10Native stream: Ole10NatIVE 2925524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.