Office (OLE) / .XLSX malware analysis — malicious · c98f14153ae84761

MALICIOUS

Office (OLE) / .XLSX

851.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 10e504ecd0e2b8478eeeb707dd2c4fe8 SHA-1: 21aea140f4db597843407d6adeb5ee1515ea2ecd SHA-256: c98f14153ae8476171b918a7f53f4b1217cc925b3ac14de749ea93bea1d4f8e6

68 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.005 Visual Basic

The file contains a critical heuristic indicating exploitation of CVE-2017-0199 via an OLE2Link object. This vulnerability is used to download and execute a remote payload from the provided URL. Although VBA macros are present, they do not contain executable statements, suggesting the primary exploit mechanism is the OLE vulnerability itself. The extracted URL is the highest priority IOC.

Heuristics 2

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.