Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 4e913054d7289768…

MALICIOUS

Office (OLE) / .XLS

1.26 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: e0d7acbe67c51c53834e5ca1b9628d76 SHA-1: 520d8e943196bc9384b9271dbecccd171c961ec7 SHA-256: 4e913054d728976888053d5ab51e3156fb72e15a81a823b019ebb98bfcc1ad89
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File

The critical heuristic firing indicates the exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote code. The embedded URL is the primary indicator of the remote payload's source. The file is an OLE2Link object, commonly used in such exploits.

Heuristics 1

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

Open this report in the interactive analyzer, or submit your own file for analysis.