Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 eb1e050d03b43392…

MALICIOUS

Office (OLE) / .XLS

923.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 5127dd5c832f0eef016bfb217d249844 SHA-1: 10ace5c2532bd4e88a75acbe74bdd638e99d71a2 SHA-256: eb1e050d03b43392fd2cc6d7de9490e013156eef0f3bb5b7a9d0dc00b8a865cd
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE object, which is designed to load remote content. The embedded URL is highly suspicious and likely points to the secondary payload. Although VBA macros were present, they contained no executable statements, suggesting the exploit is directly within the OLE structure.

Heuristics 3

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
    URL http://ႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳႳ=0000QQQQQQQQQQQQQQQQQ@0010217725032
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
5998b72efe4659ec6fd5923017a87411793e23384183bd2a6e92832d463889f9		 ole-package OLE Ole10Native stream: MBD00076BDE/Ole10Native 902813 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
stream_000_off00000092.bin
72485b5b58aa3f35233985fbcf991137552f304d7d8f95d7344dd2c60e1d8daa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x92 609452 bytes
stream_001_off00036b6a.bin
7d63e8fe362f9475f2427e09ea4101830fd5784f90143d4f6b9b0e913d097354		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x36B6A 627868 bytes
font_01_sfnt_off0006f105.bin
b6b7e008c6aeefb4898851f69d5c4e7396d717d3274ef76a5bfa8fa264f26b5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F105 368224 bytes
font_02_sfnt_off0008312c.bin
16ad03b584f5954df7868977780113bb97e48bc954df47ecc500e278a6475019		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8312C 297496 bytes
font_03_sfnt_off000a0137.bin
697f10de4b6c2f852dd9884bca63a6130d420993167c0e597a524615bf3e0165		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0137 340944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.