Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ddedef377d750fc9…

MALICIOUS

Office (OOXML) / .XLSX

15.0 KB Created: 2023-12-27 06:41:10 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-08
MD5: 0e218f7b9d969dbaeeddf9c7343d644c SHA-1: 53ed1a768454b74b6148e425909629c591872b1c SHA-256: ddedef377d750fc961a4879b2ccbc10efe27b9beebd89fee40a2d6b63dd0872c
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is an Office document containing an embedded OLE object. Static analysis detected the EICAR test signature within this object, which is a standard method for testing antivirus detection capabilities. This strongly suggests the file is intended to be recognized as malicious by security software, likely as a test or a component of a larger malicious delivery chain.

Heuristics 2

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin ooxml-ole-object OOXML embedded OLE part: xl/embeddings/oleObject1.bin 3072 bytes
SHA-256: 856d39e8439a8095f0aefc1f6696277d6ea3c02bb2f791830fa6667eaa2b257f
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
ooxml_oleobject_00_ole10native_00.bin ole-package OOXML xl/embeddings/oleObject1.bin Ole10Native stream: Ole10Native 575 bytes
SHA-256: 18daccfd55efff9a2298031dbc53dcf6d898b97cf25ff23096f8fabf9de331a0
ooxml_oleobject_00_ole10native_00_eicar.txt ole-package-payload OOXML xl/embeddings/oleObject1.bin Ole10Native payload: display_name=eicar.txt; full_path=C:\Users\YZ\AppData\Local\Temp\{1BCCD91E-1642-4F87-B5D0-4827D8A92950}\{41AF9B28-DDE0-4749-A276-90D2750869C8}\eicar.txt; temp_path=; def_file= 68 bytes
SHA-256: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
emf_00.emf ooxml-emf OOXML EMF part: xl/media/image1.emf 4988 bytes
SHA-256: 626b2e550af6f5ba4621539ae72862a6b336997ef9281f8c48403fea4d63fb5f