Office (OLE) / .XLS malware analysis — malicious · 46be32140ad0d0a5

MALICIOUS

Office (OLE) / .XLS

1.75 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 1bcc478c1843841c6b338a0125bfa158 SHA-1: 76e56066f0c22c407aca3290cc1038bb180e4983 SHA-256: 46be32140ad0d0a5f63b591d7d4743047c7b89c74012c77517b094341f610662

68 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 PowerShell

The critical heuristic firing indicates exploitation of CVE-2017-0199 via a URL moniker, which is designed to download and execute a remote payload from the provided URL. Although the VBA macros themselves contain no executable statements, the exploit mechanism is present in the OLE structure. The primary IOC is the URL used for the payload download.

Heuristics 2

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

URL https://peprolinbot.es/0UVlbm?&streetcar
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
`stream_014_off0001517a.bin` `80c5ba4ef11eeaf89f78293c63f946fbe5dcd398df97b814fb14b3e6efc99505`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1517A	50448 bytes
`stream_045_off000500fe.bin` `ce534ef5a4a8a608709b6e7feb9e852fb100b363324ded8bc5755d1458fad97f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x500FE	802458 bytes
`font_00_cff_off0000948d.bin` `c519944e2651ed4561279107092e12cd4464e92ac4e5e432f215fd25c9797d05`	pdf-font-stream	PDF embedded font (cff) at offset 0x948D	4346 bytes
`font_01_cff_off0000a2e5.bin` `4d0d0b9961f8f5726523168be1c764290a7398f3e9644c489cacab207e8a3c29`	pdf-font-stream	PDF embedded font (cff) at offset 0xA2E5	1292 bytes
`font_02_cff_off0001051e.bin` `34bb6e660995f03ad87d81639bccad2672ead9e244886b4db8d9ffbbbcb47fa6`	pdf-font-stream	PDF embedded font (cff) at offset 0x1051E	5161 bytes
`font_03_sfnt_off00021775.bin` `b248f824f3d7a8576bc396826a4d898070c1420564f6ce6aa716aa8ad24f824a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x21775	473880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.