Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 cb5fb80d50185960…

MALICIOUS

Office (OLE) / .XLSX

20.5 KB First seen: 2022-03-15
MD5: fe189108f7e3882377c3474d58ef0be6 SHA-1: 6a79928027ba221053781aec9e382c4dd4c8b882 SHA-256: cb5fb80d501859604aebdbc7031d3caef572f3d12cf3067712f065a042d13a88
202 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell T1190 Exploit Public-Facing Application

The sample is a password-encrypted Office document that exploits CVE-2017-0199. This vulnerability allows the document to act as a remote loader, fetching and executing a payload from the embedded URL. The embedded URL 'https://2l.lv/1O' is highly suspicious and likely serves as the initial download point for the secondary stage malware. The document structure indicates it's designed to carry an exploit, further supporting the malicious intent.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Encrypted Office package with CFB FAT corruption critical OLE_ENCRYPTED_AND_MALFORMED
    Encrypted-package shape co-occurs with FAT-chain corruption — the documented combined evasion form.
  • Default-encrypted OOXML exploit carrier layout high OOXML_ENCRYPTED_EXPLOIT_CARRIER_SHAPE
    Default-password encrypted OOXML package contains embedded OLE object parts and additional activation/decoy parts. This layout is common in malicious Excel exploit delivery and requires inspecting the decrypted package.
  • Office document is password-encrypted medium OFFICE_ENCRYPTED_PACKAGE
    OLE container holds MS-OFFCRYPTO encrypted package (Standard Encryption (Office 2007, AES)).
  • Office OOXML encrypted with default VelvetSweatshop password medium OFFICE_DEFAULT_PASSWORD_ENCRYPTED_OOXML
    OLE EncryptedPackage decrypts with Excel's built-in VelvetSweatshop password. Office opens this transparently, and malware uses it to hide OOXML exploit parts from scanners that only inspect the outer OLE container.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://2l.lv/1O

Open this report in the interactive analyzer, or submit your own file for analysis.