Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 03c852f23af131d3…

MALICIOUS

Office (OLE) / .XLS

1016.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-16
MD5: 89703d0cb55a0d72283c59e3340218b3 SHA-1: db73d222d660a1f96e34c5ad74271f78f62b1a7b SHA-256: 03c852f23af131d33910523b3472bc74ca625649674fab19b96fd539de6edb51
70 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing for CVE-2017-0199 indicates that the OLE object attempts to load a remote resource via a URL moniker. This exploit is commonly used to download and execute secondary payloads. The embedded URL points to a suspicious PHP script, suggesting a downloader or initial stage of a more complex attack. No VBA macros were found to be executable, but the exploit itself is sufficient for malicious execution.

Heuristics 3

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://027173766537/httpswww.coursera.orgprofessional-certificatesgoogle-cloud-digital-leader-trainingmsockid=2a94f95be1a568c830b6ef01e00869eb.php In document text (OLE body)
    • https://wwww.microsoft.com0In document text (OLE body)
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn document text (OLE body)
    • http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
    • http://www.microsoft.com/typographyIn document text (OLE body)
    • http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn document text (OLE body)
    • http://www.monotype.com/html/type/license.htmlIn document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
    • http://www.microsoft.com/Typography/0In document text (OLE body)
    • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn document text (OLE body)
    • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In document text (OLE body)
    • http://www.microsoft.com/pkiops/Docs/Repository.htm0In document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
stream_004_off00011a40.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11A40 302130 bytes
SHA-256: cb4c471795f1104463ab9ac1b233ec71acdbbc1592855189941bd63a4086348e
stream_005_off000279a2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x279A2 546556 bytes
SHA-256: 3e10b51a9c36c4f22a3be0890059f975373155d913cbcc6bffdc9310ebf72990
font_00_sfnt_off00007b11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B11 100712 bytes
SHA-256: ced1bb1c102daa3031e6106f2d6d7325bf5f903a49cc36cad47599b0b9573d9c
font_01_sfnt_off0005472c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5472C 23664 bytes
SHA-256: 629bb3ae58b48aa102bf50683221ccbb5b5da062adebb204d455eb5948abeb89
font_02_sfnt_off0005773c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5773C 350964 bytes
SHA-256: fad6c8b0f6b9cb4d69c4b4742cee82b85612951a9846b29e7bed8523e7a55930