Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ca12df158c7e0c07…

MALICIOUS

Office (OLE) / .XLS

1.36 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-04-17
MD5: 634fe2861e181557b2c68a186943763e SHA-1: e298f3fb9ac12a5333039fc8f5826b4419a197d4 SHA-256: ca12df158c7e0c07e1ce8ea3c083833469b6c60096238a30429c147fa3b55be2
112 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel file containing an embedded Equation Editor OLE object, which is a known vector for exploiting vulnerabilities. Static analysis indicates this object is used to deliver a malicious PDF. The VBA macros are present but contain no executable statements, suggesting the exploit is directly within the OLE object. The polyglot child PDF artifacts are the primary payload.

Heuristics 5

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wwww.microsoft.com0
    • http://en.wikipedia.org/wiki/MIT_License
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@
    • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0l
    • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0
    • http://www.microsoft.com/pkiops/Docs/Repository.htm0
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
201524224f130e16d6f38951bc8cf06accd0b7e9ddb3acb18fd0690e0b998409		 ole-package OLE Ole10Native stream: MBD003B5D3C/ole10NaTIVe 1715 bytes
stream_001_off00016841.bin
f48ea04ac88d94e996724b0312c89f652abb5998d218f16ccdd544cbb7a84532		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16841 400552 bytes
icc_00_off0004974f.icc
d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d		 pdf-icc-profile PDF ICC profile at offset 0x4974F 536 bytes
font_01_sfnt_off00050fa5.bin
72d364d80d92a25f33929cd2035bec8826666c5562209ec6d92ccfa47393e8f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50FA5 35836 bytes
polyglot_child_pdf_off0004f800.pdf
d04a9e44ebe5c4ff09bc8f9d347fb12563355e4b6852163d9c8109dc4b37da91		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x4F800 1101824 bytes
polyglot_child_pdf_off00001200.pdf
904440e657df3e29e91131b6c7eb6794ad55615fad1145689e40f10fc191fedf		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1200 1422848 bytes
polyglot_child_pdf_off00088200.pdf
1d0c0d6c70b3297672d714dc80a42bb8faa7e92d5437c8caf5e270e02a58cfcb		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x88200 869888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.