Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 de228ede36832cf8…

MALICIOUS

Office (OOXML) / .XLSX

2.86 MB Created: 2025-09-10 01:57:00 UTC Authoring application: Microsoft Excel 15.0300
MD5: 45dda08412c7a3adb6cc270bb3c9b4a3 SHA-1: 6d7b0b37605b2d482790f642674631586fe5b7b5 SHA-256: de228ede36832cf869c8cbf14f999614c6f60ddee5f72c9a6d63481124b3692b
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is an OOXML document containing an embedded OLE object, specifically identified as an Equation Editor object. This strongly suggests exploitation of a known vulnerability within the Equation Editor component to execute arbitrary code. The presence of this object is the primary indicator of malicious intent, likely leading to the download and execution of a secondary payload.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/9Y.R6E contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
dcccfe19e9ad664fd557133a717d326d223b34595b41ece23e2b121ba88b4a12		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/9Y.R6E 2899456 bytes
ooxml_oleobject_00_ole10native_00.bin
c795a217b0ebed7f622d0e431bf0eab3e149afded13194a655e6dcd75d009ca5		 ole-package OOXML xl/embeddings/9Y.R6E Ole10Native stream: oLE10NAtiVe 2873897 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.