Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cdd7ccb35f12e41c…

MALICIOUS

Office (OLE) / .XLS

550.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 702a5a50496f625a1f5ded7596bd60bf SHA-1: c0d6dbcfe44446883e04dc141119e8b8e8c743df SHA-256: cdd7ccb35f12e41c125243fef12e1005ad3ab1e166714793e6661a6e4ae2da11
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to load a remote resource from the URL http://025475315574. This suggests the file acts as a loader for a secondary malicious payload. The embedded URL is the primary indicator of compromise.

Heuristics 3

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://025475315574��%����o�Ҝ�x��y]̾A��ēf�ƁYF������6hp6hRIglJGrTZpyWoFdQ1UFc6bL3rvSAwTfrXHyuhIhMSQmd3nKDqee9oQ8JkAEphW3zdLqYXsYtpTb5TTe�������������������������������������������������������������������������������������������������������������������������������
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000000d5.icc
40ac1500464668bf7b89ee95c0c74019a6eede9ef014069eeceb45ec2c0b2d3a		 pdf-icc-profile PDF ICC profile at offset 0xD5 3144 bytes
icc_01_off000019a6.icc
261851b60e65c42afc91a549e5be46ddf6c2cd40d3b1ef1f3d946603ad564178		 pdf-icc-profile PDF ICC profile at offset 0x19A6 2576 bytes
font_00_type1_off0005cd83.bin
3b5ef7121ba56b7899e1c77bd64f826d73c4c34c4709d4ae3d7f1383d094718f		 pdf-font-stream PDF embedded font (type1) at offset 0x5CD83 48978 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
font_01_sfnt_off00069020.bin
8d965d94f491d954203975b065cb6cb35466d2edef873194d2c8588cebcc7495		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69020 41956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.