Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 0e4e0bb042ae3532…

MALICIOUS

Office (OLE) / .XLSX

1.27 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 6499b6730a6f66092671bd6d3b858065 SHA-1: 7a094efbbc46522e28d808d0129b38f05237c576 SHA-256: 0e4e0bb042ae35320412f272f12ddf3a5975e495f3135f5375d157b9d382bb20
70 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The critical heuristic firing indicates exploitation of CVE-2017-0199, which is used to download and execute a remote payload from the provided URL. The VBA macro, while not containing executable statements, is present and associated with the document. The embedded URL is the primary indicator of the malicious payload delivery mechanism.

Heuristics 3

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://𐐠𱠠O𐐠𱠠O𐐠𱠠O𐐠𱠠O𐐠𱠠O𐐠𱠠O𐐠𱠠@minily.org/p77Kfrk42

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
font_00_sfnt_off00000fdf.bin
4cddfeeaf9b4cc27957fe9f97fe02095f60ed6dfd86b2ac5d1677f98eb0259c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDF 13368 bytes
font_01_sfnt_off00003792.bin
d5074e2d68debede1b9bad2f95ae7f1dea96b6ca3159719d1ab379d8a4401ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3792 12456 bytes
font_02_sfnt_off00005e03.bin
0c44dc26cd1012a12975232cd7787057c8d144ffce8ae0beaebb9601e95f86e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E03 33696 bytes
font_03_sfnt_off0000b0ff.bin
dda2c95b47916438780f4ad3b9e499b20eec3a59d5f62587f28a5657bc7c3aba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0FF 6408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.