Office (OLE) / .XLS malware analysis — malicious · 3e0a6e80d4427d22

MALICIOUS

Office (OLE) / .XLS

632.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 63feceb35d3c38a3399ae68e661dbbec SHA-1: cede8c37520c00efc171bbb2ea1541978767e98a SHA-256: 3e0a6e80d4427d22bc807628032ba1e1fbf9b733a8b5db26f5c2cc2bae55bb1c

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 PowerShell

The critical heuristic firing indicates the exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote content. The extracted URL is highly suspicious and likely serves as the source for the secondary payload. The file's structure suggests it's an OLE compound document, commonly used for delivering exploits.

Heuristics 1

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

Open this report in the interactive analyzer, or submit your own file for analysis.