Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cde0289496637732…

MALICIOUS

Office (OLE) / .XLS

954.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: dce62b651ca600b69a5caed45e3697af SHA-1: c6a07bf533d8fa9c13b1c642b594168fd6825bea SHA-256: cde028949663773220906cf05908ad00429ff7359fdc4205006674e9d0ee5c94
108 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1559 Component Object Model Hijacking T1559.001 Component Object Model Hijacking: Component Object Model Hijacking

The sample is an XLS file containing an embedded Equation Editor OLE object, which is a known vector for exploiting vulnerabilities like CVE-2017-11882. The critical heuristic firing indicates a secondary embedded PDF with suspicious static findings. While no VBA macros were found to be executable, the presence of the Equation Editor object and the embedded PDF strongly suggests an exploit attempt to deliver a malicious PDF. The URLs extracted are benign and related to Adobe XMP metadata.

Heuristics 4

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/illustrator/1.0/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
8fe209c0acc1e23711f0416792e78aca77ce4cf0ae6b2254a35f830479c0b2c1		 ole-package OLE Ole10Native stream: MBD00C06DB6/oLE10NaTIVE 1926 bytes
stream_027_off0002ed5b.bin
b1d3870696b037464d54072ab0c6b02a60531ec979a87ca3c76ba3f09ac802ca		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2ED5B 457920 bytes
icc_00_off00056af5.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x56AF5 3144 bytes
font_00_sfnt_off00057b87.bin
8b9b49d3bcfcf773b551db446dd8c0b0b9077e2c0780475adbef04da72583906		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57B87 1764 bytes
polyglot_child_pdf_off00001000.pdf
efa425d84924193b1326c475f23a831c63b2761c0577d710794f8aef79165a06		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 972800 bytes
polyglot_child_pdf_off00018a00.pdf
b5a84820700e6e7346929e0f622c36c80f46b35689f497f1840efe99c0c9766e		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x18A00 876032 bytes
polyglot_child_pdf_off00063200.pdf
6e83867dc093eb21fcbcafd4f4137625b500082d7fff76e5e23010ba2c32ae82		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x63200 570880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.