Office (OLE) / .XLS malware analysis — malicious · 6d577060ff3bad7b

MALICIOUS

Office (OLE) / .XLS

1.46 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: e74cbd9bb71cce627609489de9dbf0ab SHA-1: 80f14153a657e7ee036db77604b80d0a35140759 SHA-256: 6d577060ff3bad7bfa73f730efe9c5a582ba04c2694191ce22c1c75b17a1b0c9

78 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The critical heuristic firing for CVE-2017-0199 indicates the exploitation of a known vulnerability to load remote content. The embedded URL, https://wegivebestvalurforthepeopleswhogivingmethevalueforeverneedbest.busienss@link.scogo.in/xKPS9C, is likely the source of the second-stage payload. The 'SE_INVOICE_LURE' heuristic suggests the document is designed to trick the user into opening it, consistent with a spearphishing attachment. No VBA code was found to be executable, but the presence of the CVE exploit is the primary indicator of malicious activity.

Heuristics 4

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://wegivebestvalurforthepeopleswhogivingmethevalueforeverneedbest.busienss@link.scogo.in/xKPS9C
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
- http://www.w3.org/2001/XMLSchema

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.