Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 7ee15891401200a6…

MALICIOUS

Office (OLE) / .XLSX

973.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 6df20113d6897a1a2aac720d585189fd SHA-1: 1f835735bb9323c9257ede079cf1d6124f6ac28a SHA-256: 7ee15891401200a6f4b34577e065a2392ce9468d2a415fd81970a4133a047a37
130 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The file is detected as malicious by ClamAV and exhibits characteristics of a downloader trojan. The critical heuristic firing for CVE-2017-0199 indicates the exploitation of a known vulnerability to fetch a remote payload from the provided URL. Although the VBA macro source is truncated, the presence of VBA code suggests it is used in conjunction with the exploit to facilitate the download and execution of the second-stage malware.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://short.ruksk.com/wDIA0l?&cymbal=clean&sociology=volatile&hand=noxious&homogenate=innate&client

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
382fc1344a2f0cf6eda18645d41def8d571debc6637bc7fe02a5c83715a51bef		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.