Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 733b15df7afe396d…

MALICIOUS

Office (OLE) / .DOC

978.0 KB Created: 2016-03-15 14:47:00 Authoring application: Microsoft Office Word
MD5: d7df466c1002b693625f734c76f314a3 SHA-1: d59b72275e1e662f0704cfba7eb97c34d24b57d9 SHA-256: 733b15df7afe396d5fdab2652eb3bcec9d21d3d3cf73fe2421fe8a59e7a4efbc
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exploits CVE-2017-0199, a known vulnerability for remote code execution, by leveraging a URL moniker to download a secondary payload. The presence of an Excel 4.0 macro sheet and a VBA project, along with heuristics indicating a lure to enable macros, further supports this attack pattern. The embedded URL points to a potentially malicious Excel file, suggesting a downloader or dropper functionality.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://intranet/Sites/IT/projects/colleges/Shared%20Documents/Users%20Matrix.xlsx
    • http://schemas.micr
    • http://schemas.openxmlformats.org/drawingml/2006/main
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/elements/1.1/
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/internal/obd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
    • http://schemas.microsoft.com/office/infopath/2007/PartnerControls
    • http://schemas.microsoft.com/sharepoint/v3/contenttype/forms
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliography

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b5f7fd2cf65704dc5f8cb59e21356632e4304c2f286c9369f4eba3916cdd349f		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 663 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.