Office (OLE) / .XLS malware analysis — malicious · ed2dad816d188c62

MALICIOUS

Office (OLE) / .XLS

733.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: 9683c8320876b66abfba9a346fa58792 SHA-1: 9159f893ed7cb7f4bc6ab8dadbb8b99df72c4e2a SHA-256: ed2dad816d188c62346f7a36c95c00faedde6b3e0ca93eb4cd156dc4ad62ddc8

88 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious Attachment T1059.005 Command and Scripting Interpreter: Visual Basic

The file is an Excel spreadsheet containing an embedded Equation Editor OLE object, a known vector for exploiting vulnerabilities. The 'x86 GetPC stub' heuristic further suggests the presence of shellcode. While no VBA macros were found to contain executable statements, the presence of the Equation Editor object strongly indicates an attempt to leverage a vulnerability for code execution. The SHA256 hash is included as a primary IOC.

Heuristics 3

Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR

Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
x86 GetPC stub (CALL $+5; POP EAX) high SC_GETPC_CALL

x86 GetPC stub (CALL $+5; POP EAX)
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
`ole10native_00.bin` `748aadb6d53521ae0add511dc8a8ee104507a5633bda644bcb8b3e59b79e7f04`	ole-package	OLE Ole10Native stream: MBD0065BEE6/oLE10NATive	1397 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.