Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 bc6634858a7efdec…

MALICIOUS

Office (OOXML) / .XLSX

2.28 MB Created: 2025-09-22 22:56:50 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-09-25
MD5: 4339ef1ec588060d41bd28e08fb1f89a SHA-1: 3d2b603632571f7390e4333fdb384859f9591b77 SHA-256: bc6634858a7efdecb0711f004298d095d0102d776e4fe241eceb60fe729595d7
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1566 Phishing T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. This object exhibits anomalies in its Ole10Native stream size and entropy, strongly suggesting it carries a malicious payload. The presence of a heuristic indicating a 'Macro/content-enable lure' further supports that the document is designed to trick the user into enabling content, which would then likely execute the embedded malicious object.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/BF.AHISjL6 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is an exploit-shaped Equation/OLE payload container seen in malicious OOXML samples. It is not assigned to a specific CVE unless the MTEF/Equation Native primitive also matches.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
58d14abb79f757ba0792c2cd2170d872e8ad5275c10b15012a1aaf8476286d06		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/BF.AHISjL6 2985472 bytes
ooxml_oleobject_00_ole10native_00.bin
bf56fa96240e13a077c8cf9f7c0ec08d9a4e548dfa1c8f70c1ef3234e3f4b1a8		 ole-package OOXML xl/embeddings/BF.AHISjL6 Ole10Native stream: oLE10NAtivE 2959681 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.