Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 1272130e96664e18…

MALICIOUS

Office (OLE) / .XLS

1.01 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: ac8e858040a8cead91ef441f86c9cb40 SHA-1: cfa17e7609799a0b1ecc49e2d542bc159af20f7a SHA-256: 1272130e96664e18dfff89fc4e6017c3bbf17090f304df2b3a9c7f604b7ad54a
130 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The critical heuristic firing for CVE-2017-0199 indicates that the OLE object is designed to exploit a remote code execution vulnerability. The embedded URL is likely used to download and execute a secondary payload. Although the VBA project contains no executable statements, the presence of the CVE exploit and the embedded URL strongly suggests a downloader or dropper functionality.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://curt.wiz.co/VRidcbrtv4?&helium=earsplitting&pasta=verdant&mirror=x-rated&gap=brash&life=fluffy&veranda

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
382fc1344a2f0cf6eda18645d41def8d571debc6637bc7fe02a5c83715a51bef		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.