Xls.Downloader.94c25b356b5a6cac-9978798-0 — Office (OLE) / .XLS malware analysis

Static analysis result for SHA-256 2a68cbab81994c92…

MALICIOUS

Office (OLE) / .XLS

908.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-08-22
MD5: 7cf09376d2024f2ef8495f81d402ee90 SHA-1: e4b9cbb4f7f6d81295b3fbe5bd230d907f1355e6 SHA-256: 2a68cbab81994c92289a653251749b7c40b6bd089e2f78289e7f78461663bfdd
206 Risk Score

Malware Insights

Xls.Downloader.94c25b356b5a6cac-9978798-0 · confidence 95%

MITRE ATT&CK
T1204 Malicious Link T1566 Phishing T1204.002 Malicious File

The file is an Excel spreadsheet containing an embedded Equation Editor object that exploits CVE-2017-11882. This vulnerability is known to be used for delivering secondary payloads. The presence of multiple embedded PDF files, one of which exhibits a 'PDF_IMAGE_ONLY_LURE' heuristic, suggests a multi-stage infection chain. ClamAV detection further confirms its malicious nature as a downloader.

Heuristics 7

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.94c25b356b5a6cac-9978798-0
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
ole10native_00.bin
775fd6be37cdd0921220b8ce04e87e8d10562b07d0bcfa690279824261488534		 ole-package OLE Ole10Native stream: MBD0016DA2C/OLE10natiVE 1462 bytes
polyglot_child_pdf_off0004b200.pdf
c07ce2cc28dfdb2a7b51be0ce240b990e8c0e3fbb324afd60b530f31c961adc2		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x4B200 622592 bytes
polyglot_child_pdf_off00000e00.pdf
f43a87ae33d4636f396613e8676d552f50c0b287b8c430af7d1aaf3f5c15f5ba		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xE00 926720 bytes
polyglot_child_pdf_off00006200.pdf
44a7a11ad2efd5f7878630fbc01aed47b6a9d13fd39a560b768e353449902dbb		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x6200 905216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.