Office (OLE) / .XLS malware analysis — malicious · 133ce2d31d6903d8

MALICIOUS

Office (OLE) / .XLS

331.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 2163267b6ed8d8ca5f6684b50fbb84b5 SHA-1: 3843e5bcab644e6618193075308765604cf457b3 SHA-256: 133ce2d31d6903d8f3420d99c66664aed58d893123dac9fbe35d30c8d22af3a7

70 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing indicates exploitation of CVE-2017-0199, which is used to download and execute a remote loader from the provided URL. Although VBA macros are present, they contain no executable statements, suggesting the exploit is directly leveraged. The embedded URL is the primary indicator of compromise.

Heuristics 3

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://jamp.to/zQFcBq

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.