Office (OLE) / .XLS malware analysis — malicious · c2eb07d2305a1133

MALICIOUS

Office (OLE) / .XLS

1016.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-16

MD5: 1c5b5d8a4297a3f114f7e8148566cb85 SHA-1: d03fcb0141bfe3fa3291e54b5cf3d02b522f5054 SHA-256: c2eb07d2305a113344f81a405e4e92a446400032e29c1444c63a571c1b7edb65

70 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.005 Visual Basic

The critical heuristic firing indicates exploitation of CVE-2017-0199, which is a known vulnerability used to download and execute remote code. The embedded URL 'http://392128471' is highly suspicious and likely serves as the initial download source for a second-stage payload. Although VBA macros were present, they contained no executable statements, suggesting the exploit relies on the OLE vulnerability rather than macro execution.

Heuristics 3

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://392128471 In document text (OLE body)
- https://wwww.microsoft.com0In document text (OLE body)
- https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn document text (OLE body)
- http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In document text (OLE body)
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/CSPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn document text (OLE body)
- http://www.microsoft.com/pki/certs/tspca.crt0In document text (OLE body)
- http://www.microsoft.com/typographyIn document text (OLE body)
- http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn document text (OLE body)
- http://www.monotype.com/html/type/license.htmlIn document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn document text (OLE body)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In document text (OLE body)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In document text (OLE body)
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In document text (OLE body)
- http://www.microsoft.com/Typography/0In document text (OLE body)
- http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn document text (OLE body)
- http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In document text (OLE body)
- http://www.microsoft.com/pkiops/Docs/Repository.htm0In document text (OLE body)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In document text (OLE body)

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
SHA-256: `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisWorkbook" Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet1" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet2" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Sheet3" Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True
`stream_004_off00011a40.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x11A40	302130 bytes
SHA-256: `cb4c471795f1104463ab9ac1b233ec71acdbbc1592855189941bd63a4086348e`
`stream_005_off000279a2.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x279A2	546556 bytes
SHA-256: `3e10b51a9c36c4f22a3be0890059f975373155d913cbcc6bffdc9310ebf72990`
`font_00_sfnt_off00007b11.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7B11	100712 bytes
SHA-256: `ced1bb1c102daa3031e6106f2d6d7325bf5f903a49cc36cad47599b0b9573d9c`
`font_01_sfnt_off0005472c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5472C	23664 bytes
SHA-256: `629bb3ae58b48aa102bf50683221ccbb5b5da062adebb204d455eb5948abeb89`
`font_02_sfnt_off0005773c.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5773C	350964 bytes
SHA-256: `fad6c8b0f6b9cb4d69c4b4742cee82b85612951a9846b29e7bed8523e7a55930`

Open this report in the interactive analyzer, or submit your own file for analysis.