Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ad0cb57caec0d1cd…

MALICIOUS

Office (OLE) / .XLS

511.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-07-21
MD5: 20acf9b3fa571f0ab0ed9f8ff2c6e18e SHA-1: 20843d1f5a234c3630a4d747c8c3d4d8ab87d17b SHA-256: ad0cb57caec0d1cd4589baa182a4bad738665ac04c59a08529659d4d8d979cb8
134 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The critical heuristic firing for CVE_2017_0199 indicates that the OLE file attempts to use a URL moniker to load a remote resource from the specified URL. The embedded PDF, while containing only images and no text operators, is also flagged as suspicious. The VBA macros, though not directly executable, are present within the document structure, suggesting a potential delivery mechanism for the exploit.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.118.24/IBO/ib/SIXDISIXSDISIDXSDIXSIDXSIDASIDIXSDI%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23SIDCSDIXSDIXSDIXSDIXSDXISDIXSDI.DOC

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
stream_003_off00005f60.bin
2998a126f4fa11ceb265371a5f7968ec18bc4692a32631a544232dc74040021f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5F60 252488 bytes
polyglot_child_pdf_off00000e00.pdf
8269528e9280dc8679c7957896caeac97b7b84fa03ca144d5d3c4bd7557fba35		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xE00 520192 bytes
polyglot_child_pdf_off00006400.pdf
ef9fb6a4f5dbac8038881736a390bfcfd8ca085a708b521654976be5a8dd6ff5		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x6400 498176 bytes
polyglot_child_pdf_off00029400.pdf
5d6025d1195881a30f2fa6f5d345a995a62a83dad91d3d302de261018e538841		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x29400 354816 bytes
polyglot_child_pdf_off0004bc00.pdf
5ac085c1294a8e321e391ae360188838c3000984e607a21d729257d2a47d51ab		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x4BC00 213504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.