Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 d13f0a4ce47f11f1…

MALICIOUS

Office (OLE) / .XLS

2.20 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-24
MD5: 7556863f1628506a4a2c2f65d901b669 SHA-1: c981753024346ee408f949a60f416533d1a2e6ed SHA-256: d13f0a4ce47f11f16e95b36e6833b13406546644cb52bb96f2017b64de0c04c2
224 Risk Score

Heuristics 7

  • Equation Editor Ole10Native payload — CVE-2017-11882 critical CVE likely CVE_2017_11882_EQUATION_OLE10NATIVE
    An embedded Microsoft Equation 3.0 object (CLSID 0002CE02-0000-0000-C000-000000000046) carries an Ole10Native packager stream instead of the normal Equation Native/MTEF data. This is the weaponized Equation Editor RCE delivery shape used by CVE-2017-11882 / CVE-2018-0802 maldocs. The payload (font-record overflow + shellcode) is frequently encrypted and the stream name case-scrambled to evade scanners, but an Equation object holding an Ole10Native stream has no benign use.
  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Equation Editor shellcode downloads a second-stage payload critical OLE_MTEF_SHELLCODE_DOWNLOAD_URL
    The shellcode reached by the Equation Editor overflow resolves download/exec APIs and fetches a second-stage payload. The URL was recovered by emulating the shellcode's self-decoding stub; an integer-encoded host (e.g. http://000030000706151) is normalised to its dotted-quad form and both spellings are surfaced.
  • x86 GetPC stub (CALL $+5; POP EDI) high SC_GETPC_CALL
    x86 GetPC stub (CALL $+5; POP EDI)
    Disassembly
    x86 disassembly · validity: code (0.76) — 11/14 branch targets land on an instruction boundary (79% coherence)
    001E7359  e800000000        call 0x1e735e
001E735E  5f                pop edi
001E735F  51                push ecx
001E7360  59                pop ecx
001E7361  81c732010000      add edi, 0x132
001E7367  eb10              jmp 0x1e7379
001E7369  5a                pop edx
001E736A  95                xchg ebp, eax
001E736B  b34d              mov bl, 0x4d
001E736D  90                nop
001E736E  90                nop
001E736F  eb08              jmp 0x1e7379
001E7371  7256              jb 0x1e73c9
001E7373  7807              js 0x1e737c
001E7375  f0                .byte 0xf0
001E7376  5c                pop esp
001E7377  3f                aas
001E7378  80e980            sub cl, 0x80
001E737B  0000              add byte ptr [eax], al
001E737D  005159            add byte ptr [ecx + 0x59], dl
001E7380  eb73              jmp 0x1e73f5
001E7382  90                nop
001E7383  90                nop
001E7384  9c                pushfd
001E7385  57                push edi
001E7386  51                push ecx
001E7387  9c                pushfd
001E7388  50                push eax
001E7389  58                pop eax
001E738A  53                push ebx
001E738B  57                push edi
001E738C  52                push edx
001E738D  eb0a              jmp 0x1e7399
001E738F  53                push ebx
001E7390  5b                pop ebx
001E7391  af                scasd eax, dword ptr es:[edi]
001E7392  cb                retf
001E7393  63b2a831bdbe      arpl word ptr [edx - 0x4142ce58], si
001E7399  81ead71a0000      sub edx, 0x1ad7
001E739F  eb08              jmp 0x1e73a9
001E73A1  4e                dec esi
001E73A2  27                daa
001E73A3  87f0              xchg eax, esi
001E73A5  eb02              jmp 0x1e73a9
001E73A7  2439              and al, 0x39
001E73A9  81ef8a210000      sub edi, 0x218a
001E73AF  57                push edi
001E73B0  5f                pop edi
001E73B1  81eab7340000      sub edx, 0x34b7
001E73B7  8d                .byte 0x8d
001E73B8  92                xchg edx, eax
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://198.23.177.234?& In document text (OLE body)
    • http://0030605730752?&In document text (OLE body)
    • http://000030000706151In document text (OLE body)
    • http://192.3.140.105Decoded from obfuscated IP host (000030000706151)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
SHA-256: 7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
ole10native_00.bin ole-package OLE Ole10Native stream: MBD001E5059/ole10natIve 1595 bytes
SHA-256: d41b13f4300538f9ba2ecb6d0fcc594e1715e2db86d629ac66789186d14e755a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: SC_GETPC_CALL

Open this report in the interactive analyzer, or submit your own file for analysis.