Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 106b2bc1a80cc734…

MALICIOUS

Office (OLE) / .XLS

869.5 KB Created: 2024-06-27 14:59:00 Authoring application: Microsoft Office Word
MD5: 18fb4cf13959b927b27173552fa71355 SHA-1: d7bf5879cd6928d07b88d458408c86334b9fb8f4 SHA-256: 106b2bc1a80cc73465dc32534cc9f72364e26d5c4509fee0a96fc545a0fbecbb
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exploits CVE-2017-0199, a known vulnerability for remote code execution, by leveraging a URL moniker to download a secondary payload from 'http://intranet/Sites/IT/projects/colleges/Shared%20Documents/Users%20Matrix.xlsx'. The presence of an Excel 4.0 macro sheet and a macro-enable lure indicates an attempt to bypass security controls and execute malicious code. While VBA macros were present, they contained no executable statements, suggesting the primary execution vector is the CVE exploit.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://intranet/Sites/IT/projects/colleges/Shared%20Documents/Users%20Matrix.xlsx
    • http://schemas.micr
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b5f7fd2cf65704dc5f8cb59e21356632e4304c2f286c9369f4eba3916cdd349f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 663 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.