Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 f977b98d49870c5e…

MALICIOUS

Office (OOXML) / .XLSX

2.05 MB Created: 2025-05-22 22:02:38 UTC Authoring application: Microsoft Excel 12.0000
MD5: 3d258d2622b27196b2920af98a6bf08d SHA-1: 7cc43e45d1b96b074702e3ec65f0fdddcdbf37cd SHA-256: f977b98d49870c5ece1d3c0ea807fd98d6c38af2f40ed42ac575ae6140aac0b9
122 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Office document containing an embedded OLE object, specifically identified as a Microsoft Equation Editor object. Heuristics indicate a critical vulnerability, CVE-2017-11882, which is a known exploit for Equation Editor. This suggests the document is designed to leverage this vulnerability for initial execution. No scripts were extracted, and the document body content is obfuscated and appears to be junk data, further supporting the exploit-based delivery mechanism.

Heuristics 3

  • CVE-2017-11882 — Equation Editor FONT record overflow critical CVE likely CVE_2017_11882
    Equation Editor MTEF contains an overlong FONT typeface field, the vulnerable copy primitive for CVE-2017-11882. This is stronger evidence than the Equation Editor CLSID alone because it identifies the malformed record that drives code execution in EQNEDT32.EXE.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Embedded OLE object xl/embeddings/dG.UI9f1 contains the Equation Editor CLSID, the legacy component exploited by CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798.
  • Embedded OLE object medium OOXML_OLE_OBJECT
    Document contains an embedded OLE object

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ooxml_oleobject_00.bin
2d6a6835c4245d19fce98a38ce70de0be880c1bfa2ab12b183fb20e8c01de1e7		 ooxml-ole-object OOXML embedded OLE part: xl/embeddings/dG.UI9f1 2934272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.