Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6442a471211f8889…

MALICIOUS

Office (OLE) / .XLS

974.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: bd6ddad63fc3c23331d2a7fd5ee23c06 SHA-1: 49faa91ee8dd7d5e4484291afa6e1e5bbd0c5b08 SHA-256: 6442a471211f88890f7d98021a2b478a872e1f5e6053a1f52fbd65da97755fbb
130 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The critical heuristic firing for CVE-2017-0199 indicates that the OLE object is configured to download a remote payload from the provided URL. Although the VBA macros themselves do not contain executable statements, the exploit mechanism is present and relies on the embedded URL for payload delivery. The ClamAV detection further confirms the malicious nature of the file, identifying it as a downloader trojan.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://short.ruksk.com/MJoi1u?&hosiery=imminent&basketball=innate&greece=brash&board=wee&pacemaker

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
382fc1344a2f0cf6eda18645d41def8d571debc6637bc7fe02a5c83715a51bef		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.