Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ee994caef467cbeb…

MALICIOUS

Office (OOXML) / .XLSX

1.97 MB Created: 2025-06-12 01:12:31 UTC Authoring application: Microsoft Excel 12.0000
MD5: b952343b3b312362af3767102053068e SHA-1: 16a616784e2e0ba73f9a0489a32132f172c6bd5f SHA-256: ee994caef467cbeb152a0f51744a43fa6fe51a0d46354fe867ac581df9cf82d1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking

The primary finding is a high-severity heuristic indicating an Equation Editor OLE object embedded within the XLSX file. This is a common technique used to exploit vulnerabilities in the Equation Editor component to execute arbitrary code. The embedded OLE object itself is the main IOC, as it is the mechanism for exploitation.

Heuristics 2

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/3AEUC.dYQBA contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
fad069663c6ed504da7c71c1b4f33d8efbf6327c817ab01940b24f5aeee6411e		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/3AEUC.dYQBA 2774016 bytes
ooxml_oleobject_00_ole10native_00.bin
c75456682680dc405097c3b18a83e947fffbdcbaa19d0b2ed9ea40c0969157ed		 ole-package OOXML xl/embeddings/3AEUC.dYQBA Ole10Native stream: OLe10NATive 2749567 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.