Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d152170fdb5b29b3…

MALICIOUS

Office (OOXML) / .XLSX

2.04 MB Created: 2025-05-15 01:02:55 UTC Authoring application: Microsoft Excel 12.0000
MD5: a05dae5d5a8d2dc28dbc7800070ac470 SHA-1: ff40a4134f4e4055905956a9d9cf60793dbed5cc SHA-256: d152170fdb5b29b3639bf558b8b45567be85dce408e6461ebb4f9cf69397c289
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The critical heuristic firing for CVE-2017-11882, combined with the detection of an embedded Equation Editor OLE object, strongly indicates exploitation of this known vulnerability. The NOP sled further supports the likelihood of code execution. The embedded OLE object is the primary vector for delivering the exploit.

Heuristics 4

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/SZvzn7rc.fJJt8TQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • NOP sled detected high SC_NOP_SLED
    Found 20+ consecutive 0x90 bytes
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
65e4d395350977b139c2eb6405e30c6186d4a429f5e4fe4675cbd82ce7476c7a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/SZvzn7rc.fJJt8TQ 2921472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.