Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 cf10c29170948795…

MALICIOUS

Office (OLE) / .XLS

446.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-28
MD5: 487482e4ba1e410df2febe573bbeab29 SHA-1: 51a2d5d55bb17f16ab6438ef792c6de9c1ed6c19 SHA-256: cf10c29170948795920d87e69257541e6b3a1fcd2bef81d8b1eddcbabdfdc226
106 Risk Score

Heuristics 5

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
    • https://learn.microsoft.com/en-us/typography/font-list/calibrihttp://lucasfonts.comMicrosoftIn document text (OLE body)
    • http://en.wikipedia.org/wiki/MIT_LicenseIn document text (OLE body)

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
ole10native_00.bin ole-package OLE Ole10Native stream: MBD01C1065B/Ole10Native 38085 bytes
SHA-256: 88806127cf1876402896112cb254562624fe1bbad0e605ba2131a536f4745647
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
ole10native_00_SOA_OF_FREZER_BAZZAR.XLSX ole-package-payload OLE Ole10Native payload: MBD01C1065B/Ole10Native; display_name=SOA OF FREZER BAZZAR.XLSX; full_path=C:\Users\91974\AppData\Local\Temp\SOA OF FREZER BAZZAR.XLSX; temp_path=; def_file= 37572 bytes
SHA-256: 06aba6f3d1e7c11740517fb9932f9357012db59babd818ba3d4ef493bc13196d
stream_006_off0000be09.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBE09 352784 bytes
SHA-256: f3175a5c6c9d0f8a85c5a6f93d1f56198dfd0a62dcf8fbe9f723870754d9d5a4
font_01_sfnt_off00026c0f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26C0F 325592 bytes
SHA-256: fe3b1db0f2f754df94dc97abd715f28456f5f61ea7f5fd026b697bcbf4e5e462
font_02_sfnt_off0003e393.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3E393 97260 bytes
SHA-256: 8b67e0d45b72055eb0a78e30d58f83027062e6eeee9af13dfd0cf0d801fc5efa
polyglot_child_pdf_off0000ae00.pdf polyglot-child-pdf Secondary PDF body inside ole container at offset 0xAE00 412160 bytes
SHA-256: 9f5f443283f2cdde6d2aab1af2fef26854db54a284682044f18e1da9e81fde3d

Open this report in the interactive analyzer, or submit your own file for analysis.