Office (OLE) / .XLS malware analysis — malicious · af9cd10c7be5d521

MALICIOUS

Office (OLE) / .XLS

659.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-09

MD5: 59f71cbd127f01e790b64c0ec407bb4a SHA-1: 4ea2ce9f28aa94ec411f01d279cf75a6edcffa2a SHA-256: af9cd10c7be5d521af390fb664bd6f159f4753e147e1bbafb5b706bf5cfc15af

126 Risk Score

Heuristics 5

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
VBA project contains no executable statements info OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.microsoft.com/typography/ctfontshttp://www.fonts.comMicrosoft In document text (OLE body)
- http://www.microsoft.com/typography/fonts/default.aspxIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
- http://www.microsoft.com/TypographyIn document text (OLE body)

Extracted artifacts 8

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
SHA-256: `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`stream_001_off0001d484.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1D484	285576 bytes
SHA-256: `9599658cc9eae50662a589134de51ec670e648f453a28cffaa4d13a581396cbb`
`stream_018_off00077c98.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x77C98	66548 bytes
SHA-256: `cab0eabf04a5d34936562832ff53bf107c823929526a3b58826cc1b60b8c2bbc`
`font_00_sfnt_off00000092.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x92	247956 bytes
SHA-256: `2f6f10cfe750cee13c0695f878803785e8819f02fcd31d31ce4e1395b9ffc685`
`font_02_sfnt_off00073fc0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x73FC0	40548 bytes
SHA-256: `5e68e88c987c54e64a4d101ad3db57add9e4929aeec402e4fee53d1cd7aa537a`
`font_04_sfnt_off0007eec7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7EEC7	56496 bytes
SHA-256: `dcf6f0923ad448731206952ff57c4d2b3e8620fc6972598ab1bd23d28e62ab42`
`font_05_sfnt_off000845f5.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x845F5	5220 bytes
SHA-256: `31710cdfd216f38fb46a851db560161e19419f08661279aff779873a436d680d`
`polyglot_child_pdf_off00001600.pdf`	polyglot-child-pdf	Secondary PDF body inside ole container at offset 0x1600	669184 bytes
SHA-256: `c776b22a4928340e873d6ae80b486d3987627b4d1773ac711828c50e966f4004`

Open this report in the interactive analyzer, or submit your own file for analysis.