Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 affe773acf95efa8…

MALICIOUS

Office (OLE) / .XLS

435.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 96845901400ef3b47872d9ff8c641ee3 SHA-1: 1e3594cf557453b6525cc7b4977cc7b27323f147 SHA-256: affe773acf95efa80223d2eefddcb12bf1b5f3288bae03958a8e9e16cdd1e028
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The primary heuristic firing indicates exploitation of CVE-2017-0199 via an OLE2Link object, which is designed to download and execute a remote loader from the URL 'https://exi.link/YPZbRr'. The embedded PDF also contains suspicious URIs, further supporting the malicious intent. The file is an Excel spreadsheet, likely used as a lure to trick users into opening it and triggering the exploit.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://exi.link/YPZbRr�^�zS��Q�[�E�B
    • https://www.business.hsbc.com.hk/en-gb/resource-centre/commercial-tariffs
    • https://www.online-banking.business.hsbc.com.hk/portalserver/hsbc/dbbpage/commercial/online/timetable/cutoff

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007926.bin
9a85db95c587691a5874b31b664b687edfec6192fc00b1fd6cbfbbe56ee0e2a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7926 13936 bytes
font_01_sfnt_off00009fa1.bin
3c119924dbdaf638dde5d0098e911912b53026a6636c8a487543986d08e96bb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FA1 13556 bytes
polyglot_child_pdf_off00000c00.pdf
65945d5fb5ff4de248d71105790872c5225bf659967b36ddececad8ae0dfe70b		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xC00 442368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.