Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d3da06e29ed7b2fe…

MALICIOUS

Office (OOXML) / .XLSX

2.23 MB Created: 2025-08-28 00:09:56 UTC Authoring application: Microsoft Excel 12.0000
MD5: b01b842aa8626ab4ba0738002c3f972b SHA-1: 8a5eb0ee6a14017c711b97b4e01def2c4decf284 SHA-256: d3da06e29ed7b2fe2c4441b94805205bf0667d39a6c7b834899d73102d884f50
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File Execution T1204.002 User Execution: Malicious File

The sample is an Office document that contains an embedded OLE object, specifically an Equation Editor object. The heuristic 'SE_ENABLE_LURE' indicates that the document likely instructs the user to enable macros or editing to bypass security settings. This suggests the document is designed to trick the user into executing malicious content, characteristic of a malware dropper.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/Puy44.rAeQ contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
6c089a1f34eb3b37a13c938b53cd55dcc30aae83f817814dce24e4aa93f7cd3a		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/Puy44.rAeQ 3051008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.