Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 98ccd70086d1645a…

MALICIOUS

Office (OLE) / .XLS

844.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 19a4218cd544a08eaa2936e153075f0d SHA-1: 23b587fd56a3061eab93d1cac6576b311de577a1 SHA-256: 98ccd70086d1645aaf9cad10e2b3c46cf629aaf9608ab08d5bcac9ce40bf1ca7
68 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The critical heuristic firing for CVE_2017_0199 indicates that this OLE file is designed to act as a remote loader, leveraging a URL Moniker to fetch and execute a secondary payload. The embedded URL is the primary indicator for the remote resource. While VBA macros were present, they contained no executable statements, suggesting the exploit is directly within the OLE structure.

Heuristics 3

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://030000644610�g�;�A=z

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
stream_002_off0003143e.bin
f2951dec6c447226a46f2ef66a88bc53bfb49ea238f8aa11495e3f4412148c78		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3143E 589956 bytes
stream_004_off00069a10.bin
bed483098579cb54e4c46d7bc96a8f67fffdabfe857d073fce5794e26d65f738		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x69A10 568384 bytes
font_00_sfnt_off0001b10c.bin
29b7877085b9d58ec1e86435cb951197bb010b6a5da0cc21fa45b808e6f3bf66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B10C 345200 bytes
font_02_sfnt_off0009c76a.bin
a1605696cbb7129724ec887654f8e3b881348b214a6fb0c2d399f9e039e8702c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C76A 345900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.