Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 e4a7f4d17ae4f392…

MALICIOUS

Office (OOXML) / .XLSX

2.19 MB Created: 2025-08-28 00:09:56 UTC Authoring application: Microsoft Excel 12.0000 First seen: 2025-09-03
MD5: a435fa1de1c84c81d5b29d1fa002c37f SHA-1: 06081a55fa8d1d047b991472bead409325a15375 SHA-256: e4a7f4d17ae4f392713b90b301313b2976b9926d6d2784ce02079aa04ccd8bd0
80 Risk Score

Malware Insights

MITRE ATT&CK
T1204 User Execution T1204.002 Malicious File

The sample is an Office document containing an embedded OLE object, specifically an Equation Editor object. The heuristic 'SE_ENABLE_LURE' indicates that the document likely instructs the user to enable macros or editing, a common tactic for malware droppers. The embedded OLE object is a strong indicator of malicious intent, potentially serving as a dropper for a secondary payload.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/kLub1Apyp.4b6A contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
451c4330ec17e9177cc768f5c970265cd6cc841afb7ba72454320db523a800e9		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/kLub1Apyp.4b6A 3059712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.