Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 60e0542a30b9379d…

MALICIOUS

Office (OLE) / .XLS

1.01 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 9e57f8d11355afc490feb9cb415165d3 SHA-1: f63ad72689cdabc1aa7629a1170debb01f40c207 SHA-256: 60e0542a30b9379d93ab606396a96476b7d7f40a0b870fa648911eb66bed1348
130 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an Excel file that leverages the CVE-2017-0199 vulnerability to download and execute a secondary payload from a remote URL. The embedded VBA macros are minimal and do not appear to contain executable code, suggesting the exploit is directly tied to the OLE structure. The ClamAV detection as 'Xls.Downloader.Trojan' further supports its malicious nature as a downloader.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jktc.pro/6nDb3Q?&soy=horrible&pelican=icky&bend=trite&workbench=icky&batting=penitent&cop-out

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
faef16cfc3b69e6dacc60198a7ccc61c4bb61c8632529929cd74db2189ccdc82		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 906 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.