Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1cf8ae3ac14ea3f0…

MALICIOUS

Office (OLE) / .XLSX

51.5 KB First seen: 2022-08-11
MD5: f5a4d3e54808426dc34cb279bc1ce8af SHA-1: 37ccf9fd728341271150b6f465aea05073203a90 SHA-256: 1cf8ae3ac14ea3f056f8f7e94f84887316e5ca1705b4b6178ac764e580515a97
142 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link

The sample is an encrypted Office document that exploits CVE-2017-0199 via a URL Moniker. This technique is used to download and execute a remote loader from the specified URL. The document itself is encrypted, preventing direct analysis of its content, but the exploit carrier shape and the embedded URL are strong indicators of malicious intent.

Heuristics 5

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jmcglone.com@clik.rip/L7y79

Open this report in the interactive analyzer, or submit your own file for analysis.