Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bdee79c7dc2cc639…

MALICIOUS

Office (OLE) / .XLS

1.32 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: ea5cb060ab60a378f3defff08dd0af02 SHA-1: 4731ad7a8fc3634008b21cef515648e0ebf69f88 SHA-256: bdee79c7dc2cc63947246b88222c0609dd30e466e17b878a3fada9eb35674b65
188 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The critical heuristic firing for CVE_2017_0199 indicates that the OLE object is designed to act as a remote loader, fetching content from the provided URL. The embedded PDF also exhibits suspicious static findings, suggesting it may contain malicious content or further exploit stages. The ClamAV detection confirms the malicious nature of the file, identifying it as a downloader. The primary intent appears to be the download and execution of a second-stage payload from the URL: https://short.ruksk.com/wAvDWQ?&leg=fortunate&district=coherent&vibraphone=symptomatic&ronald=fine&kielbasa.

Heuristics 5

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
faef16cfc3b69e6dacc60198a7ccc61c4bb61c8632529929cd74db2189ccdc82		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 906 bytes
stream_006_off00018962.bin
c8d2947cdcc19670cf5f7032307c6545f1bb58f2ab831ce114d8ca281c5e5f2c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18962 98472 bytes
polyglot_child_pdf_off00000e00.pdf
34df398cf6a7d5c03489893016730961d25b75f70457cb782a5105f4c624d103		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xE00 1378304 bytes
polyglot_child_pdf_off0000d400.pdf
26d7765b6d3e96cc44e772e347555ffce07d90b4253067bd84187327426c513e		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xD400 1327616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.