Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 9347c058bb6f40a6…

MALICIOUS

Office (OLE) / .XLS

575.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: a210651176bfc23652de1dd866daa6af SHA-1: d2415802ccd883f6bbf646636af761b82f9ede82 SHA-256: 9347c058bb6f40a699fc045feb9d56382513832f03ff1806c2de36de3f4a442f
130 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The critical heuristic firing for CVE-2017-0199 indicates that the OLE file uses a URL moniker to load remote content. The embedded URL, http://ႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳ0000000000000=QQQQQQQQQQQQQQQQQQ@0010217725022, is highly suspicious and likely serves as a download location for a secondary payload. Additionally, a secondary embedded PDF with suspicious static findings was detected, suggesting a multi-stage attack. The VBA macros were present but contained no executable statements, indicating they are not the primary infection vector.

Heuristics 5

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
53a62718faff4f387c6ae1a08b5470bcde0cc8b8b9589bc4fbd4068aa5ca3047		 ole-package OLE Ole10Native stream: MBD001B6D08/Ole10Native 47358 bytes
ole10native_01.bin
9dfbf06cc002123f869b9ba2a1cae2139541d3c47bbb06084752cfb55016e2aa		 ole-package OLE Ole10Native stream: MBD001B6D09/Ole10Native 503989 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
stream_001_off0000172c.bin
6ecbe69c64f9be1284415ac7fe7401f1de1269ca13e68a5fb287c68ba63eaa23		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x172C 67500 bytes
stream_018_off00052fa6.bin
1da59f4222664aea28180e5df21a1a9e0a2da855c9148f18193ecda22911da5d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52FA6 264076 bytes
stream_019_off00064c52.bin
b001f0bb2cc20c40e052942ec2d58156fc07ea02c8f9ff28ad0b5cdcfb3220cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x64C52 469000 bytes
polyglot_child_pdf_off000008c5.pdf
86df5a8919dfb311b0801cddcd479dc9254e753aaabc3ad2bb3edc7431d8be35		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x8C5 586555 bytes
polyglot_child_pdf_off0000d2bc.pdf
f122e097804bf6dae38625ea7d27d213e16440b4cf8d536b9f38e3bf3cdd5893		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xD2BC 534852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.