Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 b2fbcc98e0705295…

MALICIOUS

Office (OLE) / .XLS

433.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 5669a3ce210f3f26409450debf5dd960 SHA-1: c4f7c90e0775167915f79977319d307e8b0f6361 SHA-256: b2fbcc98e070529569dd039c7fcf7a997245488d686d839b6e0fec7eb5dbf1b0
102 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The sample is an OLE2Link file that exploits CVE-2017-0199 to load a remote resource. The embedded URL 'https://jamp.to/tVPNQ4' is identified as the target for this exploit. Additionally, a secondary embedded PDF was found with suspicious static findings, including an external URI, suggesting a multi-stage attack. The primary attack vector appears to be the exploitation of the CVE-2017-0199 vulnerability to download and execute a second-stage payload.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jamp.to/tVPNQ4��P�
    • https://www.business.hsbc.com.hk/en-gb/resource-centre/commercial-tariffs
    • https://www.online-banking.business.hsbc.com.hk/portalserver/hsbc/dbbpage/commercial/online/timetable/cutoff

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007926.bin
9a85db95c587691a5874b31b664b687edfec6192fc00b1fd6cbfbbe56ee0e2a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7926 13936 bytes
font_01_sfnt_off00009fa1.bin
3c119924dbdaf638dde5d0098e911912b53026a6636c8a487543986d08e96bb1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FA1 13556 bytes
polyglot_child_pdf_off00000c00.pdf
343bb2d85fff40a79bcf0279fde009ec37a6a69c721529712d0d9bbf39d3dbb9		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xC00 440832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.