Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 ef15b219a909b033…

MALICIOUS

Office (OLE) / .XLS

851.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2023-07-24
MD5: 53b39dfec158c27e856a1c2d7e478e87 SHA-1: 11c9678a529a199731fcfdd88d3295a6c335f91b SHA-256: ef15b219a909b033bb058a454e9348a5005802a91c47f3ede32ccb8b256b1196
134 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The sample is an OLE2Link file that exploits CVE-2017-0199, a known vulnerability for remote code execution. It contains a URL that points to a remote DOC file, indicating it acts as a downloader for a secondary payload. The embedded PDF structure also shows suspicious findings, further supporting its malicious nature. No VBA macros were found to be executable, but the exploit itself is sufficient for malicious activity.

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.3.118.24/IVR/THREETHREETHREETHREETHREETHREETHREEHTREE%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23THREETHREETHREETHRRTHREEHTREE.DOC
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
stream_003_off00005d60.bin
2998a126f4fa11ceb265371a5f7968ec18bc4692a32631a544232dc74040021f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D60 252488 bytes
polyglot_child_pdf_off00001000.pdf
3f29fa828495fde0dd4314dccbc133caa0562f1008933b637de808b0c05fb2d2		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 867840 bytes
polyglot_child_pdf_off00006400.pdf
f2aac03791482ef330ddf33d974019cf4a0b229d8bd2245f11b0e57b0998c62c		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x6400 846336 bytes
polyglot_child_pdf_off00029200.pdf
e7725300f140f3d3cec1f10f1838931fe9a83aab1cd4fee4971b73c96d04d841		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x29200 703488 bytes
polyglot_child_pdf_off00037e00.pdf
553ddf5c65894ae2845488c70a23a20aa434f943a22358ccfc29d89d7bf7d5e0		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x37E00 643072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.