Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 b5a12f06107df70f…

MALICIOUS

Office (OOXML) / .XLSX

2.19 MB Created: 2025-08-18 05:08:49 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-08-22
MD5: 3c548d098a6dd2b8ed9beaf3485528f4 SHA-1: dde741a8b45f36272fc5102fe401b729be636593 SHA-256: b5a12f06107df70f92613c66e6c242ed40b1175d65a2846ff76ccf3cb34c5cbe
100 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.001 Malicious Link or Macro: User Execution

The sample is an Office document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate that this Equation Editor object carries a payload-like Ole10Native stream with an anomalous header, suggesting it is being used to exploit a vulnerability. The document body contains repetitive, seemingly nonsensical text, which is often used to obscure malicious content. The primary attack vector appears to be the exploitation of the Equation Editor vulnerability to execute a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/hRs.P7enAs contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2ff1aa5d74aeedf471f3a2ae93d6a8497e16bd0ac7e10baa7a3dbe5ad4a35a9e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/hRs.P7enAs 3088896 bytes
ooxml_oleobject_00_ole10native_00.bin
31651e202831f75c9870ea91a5ed0830ce4b0ea2f82afb62e47d8d97c39a6585		 ole-package OOXML xl/embeddings/hRs.P7enAs Ole10Native stream: ole10nAtiVE 3062012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.