Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 7b010ee4fbbab7d0…

MALICIOUS

Office (OLE) / .XLSX

1.12 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 2da9f7fe1b626d812605fdd5ae41c40c SHA-1: af9616f89d3dfb5004e61661f7fa741fc0b3be02 SHA-256: 7b010ee4fbbab7d0c9ceec8009a4fa153df0e67d9482b4122cb5cfae2beff384
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to load a remote resource from the URL https://cebol.me/dnZ2KT?. The embedded PDF also contains suspicious URIs. This suggests the file acts as a dropper for a secondary payload.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://cebol.me/dnZ2KT?&
    • http://www.tcpdf.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
polyglot_child_pdf_off00001200.pdf
3ac9318e9cc9fe0a7ddf26cb5888114f860823f915b41af3be5308cb9a9868da		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1200 1166848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.