Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 891527938091f9ee…

MALICIOUS

Office (OLE) / .XLS

1.68 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-13
MD5: a590b3fc9d462041944a1d03d00e9911 SHA-1: 01e7316c6021262bfd0035f6cdb536cecfb054da SHA-256: 891527938091f9ee3549a73d24777840e18687a0ed4d64ff100828c54b0c115f
274 Risk Score

Heuristics 9

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://link.takusuki.com/wfJqTF In document text (OLE body)
    • https://wwww.microsoft.com0In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn document text (OLE body)
    • http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)
    • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn document text (OLE body)
    • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In document text (OLE body)
    • http://www.microsoft.com/pkiops/Docs/Repository.htm0In document text (OLE body)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
stream_014_off0003f52b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3F52B 566620 bytes
SHA-256: b0a7e7055d5b66edffe76c7b1f32ec80318d696df6181f1536f27aa69517872f
stream_015_off0006f1fe.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6F1FE 398152 bytes
SHA-256: 0d5715bfb4def94d644e408c5ed714ea2ac557b061d036e7fdcf0a2bf1c990e2
font_02_sfnt_off000882ce.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x882CE 346068 bytes
SHA-256: ff37b045be3591e8cfbfa76f5dec51bee78deccafa1dc391d1edb36502c7f815
polyglot_child_pdf_off000b0600.pdf polyglot-child-pdf Secondary PDF body inside ole container at offset 0xB0600 1036816 bytes
SHA-256: 3ea31ce908aefc7d959428ebe7aff59d2d8679e584f5ad71b9e52b31bc4296c5
polyglot_child_pdf_off000db600.pdf polyglot-child-pdf Secondary PDF body inside ole container at offset 0xDB600 860688 bytes
SHA-256: d379337914a61ddec583a1fabcab03968a429fa7c31fa8b0a0449d406981e5db