Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 be43cd1fa313391a…

MALICIOUS

Office (OOXML) / .XLSX

2.16 MB Created: 2025-07-23 07:56:53 UTC Authoring application: Microsoft Excel 12.0000
MD5: d7a771293401c1cbb15866d26d466070 SHA-1: 75a564e8634ee9c1b1da3f22f1017b6c35da8637 SHA-256: be43cd1fa313391ac0bf30280509811a5ae44f794d1f58471f675e4a385380f9
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This type of object is known to be vulnerable to exploitation, allowing for arbitrary code execution. The heuristic firings strongly indicate that this object is intended to be exploited. No document body text or scripts were extracted, but the presence and type of the embedded object are sufficient to determine the attack pattern.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/IA.QJ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
0eea4fa509c178135069117ed0b5646f5655e363deac4eb037548d1bbae8b9c5		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/IA.QJ 3066368 bytes
ooxml_oleobject_00_ole10native_00.bin
ed911b92e07cc76e83c73f4caea3f89ff8b70c5ceb7258acac550e3805c4182b		 ole-package OOXML xl/embeddings/IA.QJ Ole10Native stream: OLE10nAtIve 3039856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.