Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 6fd5675052509542…

MALICIOUS

Office (OLE) / .XLS

1.12 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-15
MD5: e9aa2907ab13267555e46601718fd814 SHA-1: 79c5318e0441a3547afabca967e5e04d286f4304 SHA-256: 6fd5675052509542ff9991557a525b6df06e979f137168ddbd510006bc3cf69f
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1105 Ingress Tool Transfer

The critical heuristic indicates that the Equation Editor OLE object contains shellcode designed to download a second-stage payload from the provided URLs. The VBA project itself contains no executable statements, but the shellcode is responsible for the malicious activity. The script's intent is to download and execute a payload from http://192.3.140.105, saving it as %APPDATA%\-\/-----\/-----030000706151.hTA.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URL
    The shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.140.105 In document text (OLE body)
    • http://000030000706151In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True