Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bda7416cdceea1a0…

MALICIOUS

Office (OLE) / .XLS

969.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-04-15
MD5: 3e5edf5325e6df41c011b5ed537d5c24 SHA-1: 1c592014dd2396833dbcdce89ce31f884e31ed04 SHA-256: bda7416cdceea1a0fedd3ad8f9f96d6a91e60bd5217869fc8f06d8533a6752fd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1566 Phishing T1566.001 Phishing: Spearphishing Attachment T1059 Command and Scripting Interpreter T1059.005 Command and Scripting Interpreter: Visual Basic

The sample is an Excel file containing an embedded PDF that exhibits suspicious static findings and recovered JavaScript. The Equation Editor OLE object suggests a potential exploit. The recovered JavaScript, which appears to be a PDF document itself, likely serves as a secondary stage to download and execute further payloads. The VBA macros are present but do not contain executable statements, indicating they are not the primary execution vector.

Heuristics 6

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
d4e2a89144e610149903c7670c4d221e4d5505f4551dad6c0f952ec2753f63d9		 ole-package OLE Ole10Native stream: MBD000588E5/oLE10NAtiVe 1681 bytes
icc_00_off00010d4f.icc
d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d		 pdf-icc-profile PDF ICC profile at offset 0x10D4F 536 bytes
font_00_sfnt_off000185a5.bin
72d364d80d92a25f33929cd2035bec8826666c5562209ec6d92ccfa47393e8f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185A5 35836 bytes
generic_stage_recovery_000.js
d78489a29d2cb8f37e5e1437a41aa531c1f82ae29c5e99dcdb629185793563e1		 deobfuscated-js generic stage recovery null-collapse from raw PDF metadata at offset 0x0 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
generic_stage_recovery_001.js
26ce057f2f41dfa84e03a4b7701871e987b8112f27707be62334157060d748b9		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0x0 at offset 0x0 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
polyglot_child_pdf_off00001000.pdf
7728ab02296d00a61307c3116ead432f846ac47e1e3c231ef24fd797fcec39ae		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 988160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.