Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 7c2732f5c5b631c3…

MALICIOUS

Office (OLE) / .XLSX

643.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 909297f1f5c3717a456fcc1904d7e590 SHA-1: e55a62dc052533705e0f680a64b7fe37dfcb1f9f SHA-256: 7c2732f5c5b631c310f46163ed8ad469e72e97598851348004b34a5d2268cabb
144 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample leverages the CVE-2017-0199 vulnerability, indicated by the 'OLE2Link / URL Moniker' heuristic, to fetch a remote payload from the URL 'https://linkjago.me/pZchDM?&chowder=tacit&pine=sordid&bail=dramatic&pollution=tearful&vagrant=sleepy&shadow'. The embedded PDF, which also contains suspicious findings, and the general advance-fee scam lure suggest a multi-stage attack aimed at tricking the user into downloading and executing malicious content.

Heuristics 5

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://linkjago.me/pZchDM?&chowder=tacit&pine=sordid&bail=dramatic&pollution=tearful&vagrant=sleepy&shadow

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
polyglot_child_pdf_off0005e000.pdf
2bf53956c931e495729220507963078f590802c3810de6a41773c34fb1bbc4e1		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x5E000 273408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.