Office (OLE) / .XLS malware analysis — malicious · 63c3b818994adc49

MALICIOUS

Office (OLE) / .XLS

324.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: a2d01bd5780d8b2dc027f42457eb54b9 SHA-1: ed139ace1a47a88bf27d6ee7fa0d8f05e3252d0f SHA-256: 63c3b818994adc490a774b114e21784f8b88c15cb99e31283cb01b79c07feb11

70 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing indicates exploitation of CVE-2017-0199, which is used to download and execute a remote loader from the provided URL. The VBA macros were present but contained no executable statements, suggesting they are not the primary infection vector. The embedded URL is the highest priority IOC.

Heuristics 3

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://gf.to/wEgKZMPQj

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.