Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c3110ec397dd2c30…

MALICIOUS

Office (OOXML) / .XLSX

12.02 MB Created: 2024-10-01 21:36:41 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2025-08-27
MD5: 011a44e0dc5f8681d3a7065bd2acbe60 SHA-1: 510e970ae437d0efcb3567f83b0df7f7d27d857a SHA-256: c3110ec397dd2c30e32083f2619346e09a7186250ae3552b6459bc8dfa343d40
184 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1559 Component Object Model Hijacking

The sample is an OOXML file containing an embedded OLE object with indicators of an executable payload, strongly suggesting exploitation of CVE-2026-21514. The presence of a packed executable within the OLE object indicates a likely dropper functionality, designed to download and execute a second-stage payload. The file also contains external relationships and custom parts with high entropy, further supporting its malicious nature.

Heuristics 7

  • OOXML Ole10Native with payload/link indicators — possible CVE-2026-21514 high CVE likely CVE_2026_21514
    Office document contains embedded OLE (xl/embeddings/oleObject1.bin) with Ole10Native plus executable, PE, or risky remote-link indicators. This is a likely CVE-2026-21514 exploitation shape.
  • Ole10Native package drops an auto-executable payload critical OFFICE_PACKAGE_RISKY_FILE
    OLE Package displayName or fullPath ends in a directly auto-executable extension (a runnable binary or a script the default shell host runs on double-click). Embedding such a payload inside an Office document has no benign authoring use — it is a malware-delivery dropper.
  • OOXML part with non-standard content type and high-entropy data high OOXML_BOGUS_CUSTOM_PART
    The package declares a part with an invented content type (not an OpenXML/Office/standard media type) holding large, high-entropy (likely encrypted/packed) data. Legitimate OOXML files do not carry opaque binary blobs under custom content types; this is the embedded next-stage payload pattern used by loaders such as SVCReady.
  • External relationship medium OOXML_EXTERNAL_REL
    External target in xl/externalLinks/_rels/externalLink1.xml.rels: /Users/apurizaca/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/AP7HVEFW/AUD-KPMG-2017-05-RACF-20170704 (002)
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kcentral.ext.ema.kpmg.com/audit/go-gsccollab/ProjectDocuments/Workflow/LD/01
    • http://schemas.openxmlformats.org/drawingml/2006/main

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
14cff863e789a59ade4e2e30ee9ad8a6cca6c34d1dc0ce228a51ef1599cea366		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 408064 bytes
ooxml_oleobject_00_ole10native_00.bin
831dccc75749d3471f7bb93ee0301dd785a2cf01fc09e8040e85c229fedf9892		 ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 401502 bytes
ooxml_oleobject_01.bin
be2a0e81fc777628ff57a82fb6a3a1ca92038c2208aaecb0a7c417ffbb7b9f2c		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Microsoft_Word_97_-_2003_Document.doc 1286144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.
emf_00.emf
6714afed9ca01b658960001bd35a4230b2f82b9b136d2f64d85328f6d9384e7b		 ooxml-emf OOXML EMF part: xl/media/image4.emf 2455716 bytes
emf_01.emf
a0a18ad508b2f6415226b1003a0103f7a523de6b78342ab79eccb15dfbeae595		 ooxml-emf OOXML EMF part: xl/media/image6.emf 3696468 bytes
emf_02.emf
0c44f2653c9135e6f4a8878416f9372688b8020d774ad2cefb26a0cd90f7dcb9		 ooxml-emf OOXML EMF part: xl/media/image7.emf 1486304 bytes
emf_03.emf
2b40bd7a6382f2005a3109adbba977ab38953f255fd32728cb5be67b204699fd		 ooxml-emf OOXML EMF part: xl/media/image23.emf 481544 bytes
emf_04.emf
62caeab3b12b8bee006a6624cb1defd92e0734c5fa673be8dc2cfca97cc46aaf		 ooxml-emf OOXML EMF part: xl/media/image60.emf 1379912 bytes
emf_05.emf
188e08710c09bce97acaadb8a447763552f4dd8ebaa68626cf48a63caf600944		 ooxml-emf OOXML EMF part: xl/media/image61.emf 351508 bytes
emf_06.emf
b1de6fbdbef5ec489c5599f34319c839e528a68516ef4d89454c699e07460c49		 ooxml-emf OOXML EMF part: xl/media/image62.emf 712296 bytes
emf_07.emf
996e2347f960866457202f0627ab99416afb872e5a35ee450ea1afbb62cfbf67		 ooxml-emf OOXML EMF part: xl/media/image63.emf 590272 bytes
emf_08.emf
35fb94a43782af13651423895e26ce559bdefb0e884971604c8a8060e7eca64a		 ooxml-emf OOXML EMF part: xl/media/image64.emf 563360 bytes
emf_09.emf
294e2d99764e8b55fbae5d4501db98152510b1e64a9646d675dc02a32bef5a48		 ooxml-emf OOXML EMF part: xl/media/image65.emf 731648 bytes
emf_10.emf
5829f0c8da74039e8a86b2ca2e63e893f5d5a18a08978faa16a0512350645b1e		 ooxml-emf OOXML EMF part: xl/media/image66.emf 1067288 bytes
emf_11.emf
0042f4837000f4bdffbfb31412a1f9ddc3b1288e1eafaded57bc6fc673ff557b		 ooxml-emf OOXML EMF part: xl/media/image71.emf 10120 bytes
emf_12.emf
daecfae006d02620c56a75179225fd66234da4feb5746fcd602ab26510f017e5		 ooxml-emf OOXML EMF part: xl/media/image72.emf 10664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.