Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 91f4d71337abe448…

MALICIOUS

Office (OLE) / .XLSX

1.19 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: a49b1b7bf274a3bec5a6acc2d65b0c4c SHA-1: 5eb6483ba54011b5a7d21b92fddfa90fc3e8c389 SHA-256: 91f4d71337abe448d6ab73b5406531206732d3ca4a466bf13036c5f2fa7112ef
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The critical heuristic firing indicates exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote content. The extracted URL is highly suspicious and likely points to the secondary payload. The file is an OLE object, commonly used for delivering exploits.

Heuristics 1

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

Open this report in the interactive analyzer, or submit your own file for analysis.