Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 c9ecb6fb94822741…

MALICIOUS

Office (OOXML) / .XLSX

2.01 MB Created: 2025-05-19 00:58:37 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-05-20
MD5: fb6a4b0a6569c2af3842b96cc7b098e6 SHA-1: 432171c7e0efdc5f0d64e7c0ddc3feb96ec38a10 SHA-256: c9ecb6fb948227414357e221aa9b46dda2063989a8c47624815e9b8ee0e1aa86
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. This type of object is frequently exploited to deliver malicious payloads. The document body, though heavily obfuscated, appears to list items, suggesting a lure to entice the user to interact with the embedded object.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/j8OAQL.TQrIfkS contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
06f559f292129dda653c960d90b66cf986b0bd53a89c9b22b96907467c2949a3		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/j8OAQL.TQrIfkS 2830848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.