Office (OOXML) / .XLSX malware analysis — malicious · e57afb6e01fe583f

MALICIOUS

Office (OOXML) / .XLSX

2.58 MB Created: 2025-09-04 00:14:20 UTC Authoring application: Microsoft Excel 12.0000

MD5: c5b7e9ed3cb18ed9b0b8f1a0f396db17 SHA-1: 379901fc8e4a98696502e1172c810443149307cb SHA-256: e57afb6e01fe583f09285c0e47a010b02d90f5f1733b645b306af2d8b2425386

80 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is an Office document containing an embedded OLE object, specifically identified as an Equation Editor object. The heuristic 'SE_ENABLE_LURE' indicates that the document likely instructs the user to enable macros or content, a common tactic for malware droppers. This suggests the embedded object is intended to execute malicious code upon user interaction. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific payload.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Embedded OLE object xl/embeddings/517F1q.6do contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
Embedded OLE object medium OOXML_OLE_OBJECT

Document contains an embedded OLE object
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`ooxml_oleobject_00.bin` `14daaeea3148194bd6dcc7fe3ddaf5a6978b8784917e06d9fcdddcec833e6332`	ooxml-ole-object	OOXML embedded OLE part: xl/embeddings/517F1q.6do	3017216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.