Office (OLE) / .XLSX malware analysis — malicious · 804029ced87879a1

MALICIOUS

Office (OLE) / .XLSX

431.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-03-21

MD5: d20ea90d3cb995380f4a17642c9b683b SHA-1: 92c94d1106901702a0f6ba17cb53dc63ca9f9be4 SHA-256: 804029ced87879a1431aa86c48cfadc31d446f5c5dee5b4db650ca8e616f41f9

62 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The sample is an OLE file that exploits CVE-2017-0199, a known vulnerability for remote code execution. The embedded URL, http://EEEEEEE00EOE0EOE0EO0EOE0EOEOOE0EOEO0EOEO0EOEOOEE0OEOOEOE0EOEOE0OEOEOE0OEOEOOOEEEEEERIRIRIRIRIRIRIRIRRR0R0RIRIRIR0RI0RIR@3221484439/02..................02....................doc, is highly suspicious and likely serves as a loader for a secondary malicious payload. The document body content is heavily obfuscated and unreadable, providing no further context on the lure.

Heuristics 2

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://EEEEEEE00EOE0EOE0EO0EOE0EOEOOE0EOEO0EOEO0EOEOOEE0OEOOEOE0EOEOE0OEOEOE0OEOEOOOEEEEEERIRIRIRIRIRIRIRIRRR0R0RIRIRIR0RI0RIR@3221484439/02..................02....................doc

Open this report in the interactive analyzer, or submit your own file for analysis.