Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 d7ad86a5bf5b3fb1…

MALICIOUS

Office (OOXML) / .XLSX

2.02 MB Created: 2025-04-16 03:58:07 UTC Authoring application: Microsoft Excel 12.0000
MD5: 8a2399a67057147cca20c7ac15bcaf6b SHA-1: e18455768010dfd54320ff4c115587c41526eae2 SHA-256: d7ad86a5bf5b3fb16e01dc63c6db30c2ef09fd053137f7b5d828f57bdb4bab93
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File

The sample is an OOXML file containing an embedded OLE object, specifically identified as an Equation Editor object. The document body contains text that instructs the user to 'click Enable editing', a common lure to bypass macro security. The presence of the Equation Editor OLE object is a strong indicator of malicious intent, often used to exploit vulnerabilities or deliver further payloads.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/ZPMWgCp.WpgLQql contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
05707621a0ff16d0631880edbd596865fd69e7775424e811a1188baf8c665d5b		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/ZPMWgCp.WpgLQql 2855936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.