Office (OOXML) / .XLSX malware analysis — malicious · b8407599c59273e7

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-07-15 00:56:42 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-07-17

MD5: 2905bc0b75d8515dc99c24a5fa5ab1a6 SHA-1: 4d61f71d6599f118c1693a7d2cb58220aa535c4c SHA-256: b8407599c59273e7f9202c22360c8832f20ffc367e801b483f32bafcdb6f056f

60 Risk Score

Malware Insights

MITRE ATT&CK

T1559.001 Component Object Model Hijacking

The sample is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests an attempt to exploit a known vulnerability associated with Equation Editor. The document body contains repetitive, seemingly nonsensical text, which is common in lures designed to obscure the malicious payload. No scripts were extracted, and the primary threat appears to stem from the embedded OLE object itself.

Heuristics 2

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/8kc.ShMsjD contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `b6a3c15f771c73bd18b69f3ebf7b9e509873ca8768e91cb22b4f279c92b49d32`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/8kc.ShMsjD	2987520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.