Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c5ac40b5ed881699…

MALICIOUS

Office (OOXML) / .XLSX

2.01 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: 1fc8a92bd7e9511dd01ab25ff6d6a722 SHA-1: 4b149d2ea189c4647ec2e50e375a82d20ac42119 SHA-256: c5ac40b5ed881699b772e7ead6436735fc05bc5e44e3ab37a05c1cdda9e1d7fa
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The high-severity heuristic firing for 'OLE_EQUATION_EDITOR' indicates the presence of a vulnerable Equation Editor OLE object within the XLSX file. This is a common technique used to exploit CVE-2017-11882, leading to the execution of arbitrary code. The embedded OLE object is the primary indicator of malicious intent.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/viwK.A21 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
c95839b0ddec207734b54984fb886506de5552208200ab65236362200f134c2e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/viwK.A21 2853888 bytes
ooxml_oleobject_00_ole10native_00.bin
207213cfdce725549317a84e2d93e52361d70e3cf35e65ae76d6407712db3098		 ole-package OOXML xl/embeddings/viwK.A21 Ole10Native stream: olE10natIve 2829124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.