Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c1c4b21bed2c5162…

MALICIOUS

Office (OLE) / .XLS

1.75 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 6e4ef77f26e651ee25dd59161d86dfca SHA-1: 58bfe2f5dc9bc838e08a3daedeb13bfcec67036e SHA-256: c1c4b21bed2c5162bb27d2900a7bf9062de112ad85e77df2173ba3e7ab66494d
156 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The primary heuristic indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to load a remote resource from 'https://peprolinbot.es/FtYa7u?&terracotta'. The presence of a secondary embedded PDF with suspicious static findings, including JavaScript and indicators related to CVE-2010-0188, further suggests a multi-stage attack. The VBA macros were present but contained no executable statements, indicating the exploit is likely delivered through the OLE object itself.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • CCITTFaxDecode + active content — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.microsoft.com/office/2006/metadata/longProperties
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://schemas.openxmlformats.org/officeDocument/2006/customXml
    • http://schemas.microsoft.com/office/2006/metadata/contentType
    • http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
    • http://schemas.microsoft.com/office/2006/metadata/properties
    • http://www.w3.org/2001/XMLSchema
    • http://schemas.microsoft.com/sharepoint/v3
    • http://schemas.microsoft.com/office/2006/documentManagement/types
    • http://schemas.openxmlformats.org/package/2006/metadata/core-properties
    • http://www.w3.org/2001/XMLSchema-instance
    • http://purl.org/dc/terms/
    • http://schemas.microsoft.com/office/internal/2005/internalDocumentation
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
    • http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
stream_014_off0001517a.bin
80c5ba4ef11eeaf89f78293c63f946fbe5dcd398df97b814fb14b3e6efc99505		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1517A 50448 bytes
stream_045_off000500fe.bin
ce534ef5a4a8a608709b6e7feb9e852fb100b363324ded8bc5755d1458fad97f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x500FE 802458 bytes
font_00_cff_off0000948d.bin
c519944e2651ed4561279107092e12cd4464e92ac4e5e432f215fd25c9797d05		 pdf-font-stream PDF embedded font (cff) at offset 0x948D 4346 bytes
font_01_cff_off0000a2e5.bin
4d0d0b9961f8f5726523168be1c764290a7398f3e9644c489cacab207e8a3c29		 pdf-font-stream PDF embedded font (cff) at offset 0xA2E5 1292 bytes
font_02_cff_off0001051e.bin
34bb6e660995f03ad87d81639bccad2672ead9e244886b4db8d9ffbbbcb47fa6		 pdf-font-stream PDF embedded font (cff) at offset 0x1051E 5161 bytes
font_03_sfnt_off00021775.bin
b248f824f3d7a8576bc396826a4d898070c1420564f6ce6aa716aa8ad24f824a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21775 473880 bytes
polyglot_child_pdf_off00093a00.pdf
4815c587e52f5d5641394985f66bead0675bf56201a9a7388444eb690e7bc47e		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x93A00 1234432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.