Office (OOXML) / .XLSX malware analysis — malicious · dde97988b493f503

MALICIOUS

Office (OOXML) / .XLSX

1.99 MB Created: 2025-05-16 00:39:35 UTC Authoring application: Microsoft Excel 12.0000

MD5: 1cb0cb1b9346bf263e9088fbae438905 SHA-1: b6aa4d9d02b021f430e4267ca8f27a89d653074e SHA-256: dde97988b493f5036b9b055f322b6294b3a74d0767b93f768e621f6b22037922

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1559.001 Component Object Model Hijacking

The sample is an Office Open XML spreadsheet containing an embedded OLE object, specifically identified as an Equation Editor object. High and critical severity heuristics indicate the exploitation of CVE-2017-11882 through a font record overflow within this object. This vulnerability is known to be used for arbitrary code execution, suggesting the document's primary purpose is to exploit this vulnerability to download and execute a secondary payload.

Heuristics 3

CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882

Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/6DoReP.j4 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `4efee90b56f4c87ee4ea3d050f66d37af3b0529ba66bf6391548932c9ac2328d`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/6DoReP.j4	2865664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.