Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 99e1e256c872e4db…

MALICIOUS

Office (OLE) / .XLSX

954.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-04-21
MD5: 2f2af338af1887f035c7dd3d9fb6dc4c SHA-1: 12fb23d6d9fbb1ac5995f236ab17168aed61d065 SHA-256: 99e1e256c872e4db55d3f4d9604a1d4d2e7b4fe89ec4874c40cc84ee8ead088f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1204.001 User Execution: Malicious Link T1059.005 PowerShell T1059.001 PowerShell

The sample contains an embedded Equation Editor OLE object, which is a known exploit vector. This object likely triggers the execution of a secondary embedded PDF. The PDF itself contains JavaScript that appears to be a generic exploit stage, attempting to download and execute further payloads. While the VBA macros themselves are not executable, the presence of the Equation Editor exploit and the embedded PDF with JavaScript strongly suggests a multi-stage attack. The specific URLs extracted are benign, but the overall structure points to a downloader or exploit delivery mechanism.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://www.iec.ch

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
0c3537375ec2a62cf1031b68e08503c555544e5b3334604abb9484de33447c01		 ole-package OLE Ole10Native stream: MBD00526DF6/olE10natIve 1804 bytes
stream_027_off0002ed5b.bin
b1d3870696b037464d54072ab0c6b02a60531ec979a87ca3c76ba3f09ac802ca		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2ED5B 457920 bytes
generic_stage_recovery_000.js
c1381287527da8e4bf79534e0760e5a06c92b164a62fa55c5e93e93a5417f439		 deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 262144 bytes
icc_00_off00056af5.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x56AF5 3144 bytes
font_00_sfnt_off00057b87.bin
8b9b49d3bcfcf773b551db446dd8c0b0b9077e2c0780475adbef04da72583906		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57B87 1764 bytes
polyglot_child_pdf_off00001000.pdf
774e13b0db599564ebbf6671e89ccd4aebcdfa1380c90756014cd778c463bb33		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 972800 bytes
polyglot_child_pdf_off00018a00.pdf
56dec50667cfda4da07b5ccfd2a566afd441ebea814ce8b5e8f7315b8974577e		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x18A00 876032 bytes
generic_stage_recovery_000_1.js
7d7c247c57a51120e670f6b372583e3926993121b77dca9dba3ad410cdb7837e		 deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 262144 bytes
polyglot_child_pdf_off00063200.pdf
ef4f339afe64fe5e737bb0d783bf683b21166dc241c57ea13667081e6dbe344b		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x63200 570880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.