Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 276becf248e1f08d…

MALICIOUS

Office (OLE)

1.03 MB Created: 1998-03-01 05:56:01 Authoring application: Microsoft Excel First seen: 2020-05-25
MD5: fcac29e69b255cb29fec813c58835a08 SHA-1: 21b0a3a7e3542c580ed72f1f9df871ece5eba2a8 SHA-256: 276becf248e1f08d27ff6397cda538e20aec8069c5dbaedfc5abec8101ce5501
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample leverages the OLE2Link / URL Moniker vulnerability (CVE-2017-0199) to fetch and execute a remote file from the URL http://www.boi.org.il/he/Markets/Documents/yazigmizt.xls. The document body contains financial data, suggesting a lure to trick users into opening and enabling macros or interacting with the exploit. The specific exploit technique points to client-side execution via a remote resource.

Heuristics 2

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.boi.org.il/he/Markets/Documents/yazigmizt.xls# In document text (OLE body)
    • http://www.boi.org.il/he/Markets/Documents/yazigmizt.xlsIn document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Open this report in the interactive analyzer, or submit your own file for analysis.