Office (OLE) / .XLS malware analysis — malicious · 99a218e5ef6b32d4

MALICIOUS

Office (OLE) / .XLS

753.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-22

MD5: 22c64ea564c04e44c54779a9ebb83407 SHA-1: dd949eb805b3f13c863371f0cb2d828d129a20c3 SHA-256: 99a218e5ef6b32d486a6fddfdea72a37a58f0681cf8ff4913a704b020831077b

224 Risk Score

Heuristics 7

Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE

An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URL

The shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.

x86 GetPC stub (CALL $+5; POP ECX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP ECX)

Disassembly

x86 disassembly · validity: code (0.705) — 8/12 branch targets land on an instruction boundary (67% coherence)

000836FE  e800000000        call 0x83703
00083703  59                pop ecx
00083704  81c119010000      add ecx, 0x119
0008370A  90                nop
0008370B  eb05              jmp 0x83712
0008370D  e9e4000000        jmp 0x837f6
00083712  8da9d7020000      lea ebp, [ecx + 0x2d7]
00083718  6bf600            imul esi, esi, 0
0008371B  9c                pushfd
0008371C  50                push eax
0008371D  53                push ebx
0008371E  5b                pop ebx
0008371F  90                nop
00083720  51                push ecx
00083721  2d3b3d0000        sub eax, 0x3d3b
00083726  9c                pushfd
00083727  52                push edx
00083728  50                push eax
00083729  eb39              jmp 0x83764
0008372B  dcbe495bb9ad      fdivr qword ptr [esi - 0x5246a4b7]
00083731  eb68              jmp 0x8379b
00083733  8b9c52568d92d2    mov ebx, dword ptr [edx + edx*2 - 0x2d6d72aa]
0008373A  7c00              jl 0x8373c
0008373C  0081c6fd1700      add byte ptr [ecx + 0x17fdc6], al
00083742  009c535281eb35    add byte ptr [ebx + edx*2 + 0x35eb8152], bl
00083749  4a                dec edx
0008374A  0000              add byte ptr [eax], al
0008374C  81c34e5a0000      add ebx, 0x5a4e
00083752  5a                pop edx
00083753  5b                pop ebx
00083754  9d                popfd
00083755  8d92e8520000      lea edx, [edx + 0x52e8]
0008375B  81                .byte 0x81
0008375C  c2                .byte 0xc2
0008375D  2f                das

Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://192.3.140.105?&VVVVVVVVVVV In document text (OLE body)
- http://000000000030000706151?&VVVVVVVVVVVIn document text (OLE body)
- http://000030000706151In document text (OLE body)
- http://192.3.140.105Decoded from obfuscated IP host (000030000706151)

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
SHA-256: `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`ole10native_00.bin`	ole-package	OLE Ole10Native stream: MBD004367F3/Ole10naTIvE	1459 bytes
SHA-256: `139622fae218352aebc55e7665e25696be20fe3551699f7114523e63c5ba65c4`
Detection ClamAV: No threats found Obfuscation or payload: likely Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL

Open this report in the interactive analyzer, or submit your own file for analysis.