Office (OLE) / .XLS malware analysis — malicious · 12b3688773df5810

MALICIOUS

Office (OLE) / .XLS

422.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-04-19

MD5: c941958dd50bdda33820d8bb93e98c30 SHA-1: d148eb4be2e9f2b7e38e4043b659055eb1ebbd41 SHA-256: 12b3688773df58105deb3a07644601512ff3cf62866e857e6d13aa7e31b66fe7

110 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.005 Service Execution: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell

The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to download a remote document from the provided URL. The embedded PDF also contains suspicious static findings. Although no VBA macros were found to be executable, the presence of the OLE2Link exploit and the embedded PDF strongly suggests a malicious downloader attempting to fetch and execute a secondary payload.

Heuristics 4

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://173.44.139.148/q/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
`stream_001_off00000960.bin` `2998a126f4fa11ceb265371a5f7968ec18bc4692a32631a544232dc74040021f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x960	252488 bytes
`polyglot_child_pdf_off00011800.pdf` `199e78ac24033521f621fd1ed93a3ef04885817c8b1ff880880f7efe11a6a43b`	polyglot-child-pdf	Secondary PDF body inside ole container at offset 0x11800	360448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.