Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 8797f85df085e2e7…

MALICIOUS

Office (OLE) / .XLSX

1.33 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: cd6350a45b18c692bab3e26ec896f269 SHA-1: a440ab5363216172157a180bb7195b9d3590a658 SHA-256: 8797f85df085e2e70b903109409ab006260299ad3390f9ff49d75ff1beeae133
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution T1059.001 PowerShell T1204 User Execution T1190 Exploit Public-Facing Application

The sample is an OLE2Link file that exploits CVE-2017-0199 via a URL moniker to download and execute a remote payload. The embedded PDF also contains suspicious static findings, indicating a multi-stage attack. The primary IOC is the URL used for the initial payload download.

Heuristics 2

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
    URL http://025475341755?&RrʀԻᏒᚱRRrʀԻᏒᚱRRrʀԻᏒᚱRRrʀԻᏒᚱRRrʀԻᏒᚱRRrʀԻᏒᚱR
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000211f.bin
4cddfeeaf9b4cc27957fe9f97fe02095f60ed6dfd86b2ac5d1677f98eb0259c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x211F 13368 bytes
font_01_sfnt_off000048d2.bin
d5074e2d68debede1b9bad2f95ae7f1dea96b6ca3159719d1ab379d8a4401ae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48D2 12456 bytes
font_02_sfnt_off00006f43.bin
0c44dc26cd1012a12975232cd7787057c8d144ffce8ae0beaebb9601e95f86e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F43 33696 bytes
font_03_sfnt_off0000c23f.bin
dda2c95b47916438780f4ad3b9e499b20eec3a59d5f62587f28a5657bc7c3aba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC23F 6408 bytes
polyglot_child_pdf_off00000ac0.pdf
4c2eac84ebf91b13636d7d01406e71fd88ba832f8fe3284fd734ee1e007b2a49		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xAC0 1387328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.