Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 1eb877ef647b295b…

MALICIOUS

Office (OLE) / .XLSX

1.25 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 2a0ac97f7c802a3d5b3c1a168adeb3b6 SHA-1: 1b33d084c87ae9c80ae7b3cc49aaefee8d73e210 SHA-256: 1eb877ef647b295b7b0209416db3e1f828faed3ee3ac135f9faf4e140c130805
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The critical heuristic firing indicates the exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote content. The extracted URL is highly suspicious and likely points to the secondary payload. The file type and the nature of the exploit suggest a downloader or droppper malware.

Heuristics 1

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

Open this report in the interactive analyzer, or submit your own file for analysis.