Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 d35fe7740c342991…

MALICIOUS

Office (OLE) / .XLSX

553.0 KB First seen: 2026-05-19
MD5: e891e4c5ecf110f4663a75ee6a621f90 SHA-1: 65d623742895353fa971a69c39312ad157ebea87 SHA-256: d35fe7740c3429917d0d68cd99817d1a6931f8dbd527bb3cbcfa0919c4b4f470
200 Risk Score

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Default-encrypted OOXML embedded OLE object xl/embeddings/oleObject1.bin contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • PEB access via FS segment (x86) high SC_PEB_ACCESS
    PEB access via FS segment (x86)
    Disassembly
    Attempted x86 opcode disassembly
    0002600B  648b5230          mov edx, dword ptr fs:[edx + 0x30]
0002600F  b66c              mov dh, 0x6c
00026011  3af2              cmp dh, dl
00026013  d7                xlatb
00026014  bf1824d4c9        mov edi, 0xc9d42418
00026019  732d              jae 0x26048
0002601B  4b                dec ebx
0002601C  44                inc esp
0002601D  ab                stosd dword ptr es:[edi], eax
0002601E  f1                int1
0002601F  291d46106def      sub dword ptr [0xef6d1046], ebx
00026025  0bf2              or esi, edx
00026027  fb                sti
00026028  daa9ef4daec2      fisubr dword ptr [ecx - 0x3d51b211]
0002602E  5a                pop edx
0002602F  390514996197      cmp dword ptr [0x97619914], eax
00026035  761a              jbe 0x26051
00026037  8060a68c          and byte ptr [eax - 0x5a], 0x8c
0002603B  46                inc esi
0002603C  5a                pop edx
0002603D  8ecf              mov cs, edi
0002603F  dc7cf170          fdivr qword ptr [ecx + esi*8 + 0x70]
00026043  ba8de89bdf        mov edx, 0xdf9be88d
00026048  38cd              cmp ch, cl
0002604A  f7e2              mul edx
0002604C  70ff              jo 0x2604d
0002604E  b91b0fff0c        mov ecx, 0xcff0f1b
00026053  e136              loope 0x2608b
00026055  1f                pop ds
00026056  791e              jns 0x26076
00026058  861da422082e      xchg byte ptr [0x2e0822a4], bl
0002605E  11797a            adc dword ptr [ecx + 0x7a], edi
00026061  ff2b              jmp ptr [ebx]
00026063  ce                into
00026064  0de7b84419        or eax, 0x1944b8e7
00026069  1e                push ds
0002606A  38                .byte 0x38
  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Equation Editor object carries payload-like Ole10Native stream high OLE_EQUATION_OLE10NATIVE_PAYLOAD_ANOMALY
    Default-encrypted OOXML embedded OLE object declares the Equation Editor CLSID but stores a large high-entropy Ole10Native stream with malformed package sizing. This is exploit-shaped Equation/OLE payload evidence.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007+, AES-128)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.

Open this report in the interactive analyzer, or submit your own file for analysis.