Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e3a9bd5fa829972a…

MALICIOUS

Office (OOXML) / .XLSX

2.15 MB Created: 2025-07-15 00:56:42 UTC Authoring application: Microsoft Excel 12.0000
MD5: c50fb7179cb1f4f9c25849d296506198 SHA-1: 1afe27750d9544481ad3bee833afb6eeced866b9 SHA-256: e3a9bd5fa829972acb178dbe89c30e736a36798aac999be307ebbbb6372b60b1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 Malicious Link

The file is an Office document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. This is a known vector for exploiting vulnerabilities, such as CVE-2017-11882, to execute arbitrary code. The embedded object's filename, 'mIh09TNX.mGhWat0', is extracted as a potential IOC. The document body contains garbled text, suggesting it's not intended for direct user interaction but rather to facilitate the exploit.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/mIh09TNX.mGhWat0 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
57c54f92aa062208a1f70540954461c2f3a66957d014befa04f6da715b7651be		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/mIh09TNX.mGhWat0 2956800 bytes
ooxml_oleobject_00_ole10native_00.bin
43f3f7a743b7292a5d4eb40529f6e87465290a3c1dc515fa3e95853b9b186758		 ole-package OOXML xl/embeddings/mIh09TNX.mGhWat0 Ole10Native stream: OLE10NatiVe 2931159 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.