Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 c3d0774f64f077fe…

MALICIOUS

Office (OLE) / .XLS

403.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: fb9089183b510eae63b7c8d3857859b0 SHA-1: 55c22fd8cc640585f588f16945677a792cc870db SHA-256: c3d0774f64f077fe16bf416be7e31d0d53930681e0eeb266285827d343dde2e4
170 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204 User Execution

The sample is a Microsoft Excel file that exploits CVE-2017-0199 via an OLE2Link/URL Moniker to load a remote resource. The embedded PDF also contains suspicious findings and URIs. The primary IOC is the URL used for the exploit, which likely serves as a downloader for a second-stage payload. The heap spray heuristic further suggests exploitation of a memory corruption vulnerability.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x0C bytes found
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bfo.com/products/report?version=bforeport-ns-1.2.10-r47746M)/CreationDate(D:20260501073958-07
    • http://bfo.com/products/report?version=bforeport-ns-1.2.10-r47746M
    • http://000015353204525/httpswww.microsofCONTENTS�������������Ole
    • http://www.uline.com/MyAccount/TrackOrders?utm_source=track_order_email&utm_medium=email&utm_campaign=order_confirmation
    • https://www.uline.com/Terms
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
icc_00_off0001b64d.icc
0a8a33aea66a6f154a5642ebe168ef287e73265d9f7b51c42a45e6eedbacda7a		 pdf-icc-profile PDF ICC profile at offset 0x1B64D 456 bytes
font_00_sfnt_off0003115d.bin
9c0d180d654da7e91e6f6a34a17bf2fd9ecfa3a7faea8e2987bf51687b951b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3115D 32043 bytes
font_01_sfnt_off000346a9.bin
ce81385f153d7a9d37a58d32032000cfae4835b4059c23cc5badff4ff5774e6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x346A9 34436 bytes
polyglot_child_pdf_off00001000.pdf
6c4bb4c74c53da4e804a61c6be5a28ec3faf14b834e27d03c25d9310c13d6a22		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 409088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.