Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 beee40733930655b…

MALICIOUS

Office (OOXML) / .XLSX

2.27 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-09-06
MD5: 4960053a05d1241aa46b9469c9c977af SHA-1: 6ededb2ca6c5b04238503902e492e857437b6197 SHA-256: beee40733930655bfd305908f2d501c31f8849403701d703adce54b659e6753c
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1566.002 Phishing: Spearphishing Attachment

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. The document body contains text in Afrikaans that appears to be a lure, instructing the user to enable macros or editing to view content. This heuristic, combined with the presence of an embedded OLE object, strongly suggests a macro-based delivery mechanism for a malicious payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/j6ZPKeA9.uaW2sv contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
79fce1d32a74a9309020fbac3f3050312ef47e5a0e8ae0aec1ec7d3e24ea5f96		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/j6ZPKeA9.uaW2sv 3031552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.