Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c4ceb409a8c7f63c…

MALICIOUS

Office (OOXML) / .XLSX

2.14 MB Created: 2025-07-15 00:56:42 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-07-19
MD5: 062b8c1a7a6cc624718031d1aa29f3d2 SHA-1: 153ff5856b4d789a989ae08452d1b4a02bd20735 SHA-256: c4ceb409a8c7f63c039565a035ddb2daaad865ca92cd7fbb0811f64cc42179cc
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is known to be exploitable via CVE-2017-11882, allowing for arbitrary code execution. The presence of this object strongly suggests an attempt to exploit this vulnerability to deliver a malicious payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/JUlxx.zDYPViB contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
da49e164f9856711f5e98ba51b423d554764e2217ab6dc6bc0492284b56ab296		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/JUlxx.zDYPViB 2932736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.