Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 f7830a521176927a…

MALICIOUS

Office (OLE) / .XLS

664.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel First seen: 2026-06-29
MD5: 9da05a57853cf4696e85a0cb1a97883e SHA-1: 310848e7dc6f6f099b855338fff7749e8f287dfe SHA-256: f7830a521176927a1119039a8854a2b849bfaa16078acc28a547a25f555c817e
108 Risk Score

Heuristics 6

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements info OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://000030000626436/eiisweeoocuconomictimes.indiatimes.com.php?id=newsnew-updatesindia-set-to-get-first-private-gold-mine-today-all-about-andhra-pradeshs-swarnagiri-project-that-can-produces In document text (OLE body)
    • http://192.3.45.30/eiisweeoocuconomictimes.indiatimes.com.php?id=newsnew-updatesindia-set-to-get-first-private-gold-mine-today-all-about-andhra-pradeshs-swarnagiri-project-that-can-producesDecoded from obfuscated IP host (000030000626436)
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/In document text (OLE body)
    • http://ns.adobe.com/pdf/1.3/In document text (OLE body)
    • http://purl.org/dc/elements/1.1/In document text (OLE body)
    • http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2412 bytes
SHA-256: 1d3b71b8c6234aace88f31f6e674b07383e015a2e68993dcd4fc2526aa470fe5
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
stream_034_off0001c419.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C419 4657 bytes
SHA-256: 2d33f6487cf7c944ae8d88f5d2db061eecfc10de8c96a74cc9d5d3189c5f87b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
stream_040_off00020a9a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20A9A 4824 bytes
SHA-256: 6f1847071d0a717615b56a7c408f68dccb0f2fbe399bcedcad0b4b243de1a4fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_00_sfnt_off00001e72.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E72 14684 bytes
SHA-256: 3d5ef4c0eea3290cc6d42ebaac04c77d2fe5a4fc25a17c0233bc360a426d86b6
font_01_cff_off00003f5e.bin pdf-font-stream PDF embedded font (cff) at offset 0x3F5E 660 bytes
SHA-256: a6edf414c72392d4da5aeacd123abd40fc18be7ae90fbe761a92c3939d7207db
font_02_sfnt_off0000430b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x430B 10088 bytes
SHA-256: 00990978137e201bac9eb23be7c5b941499254e04f4f51edbe8db3360841f7f8
font_03_sfnt_off0000d4bd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD4BD 52420 bytes
SHA-256: 8117d1dc40a48be386da0951f62c5470ebee844bad91541e56260ebd568e0446
font_04_cff_off00014583.bin pdf-font-stream PDF embedded font (cff) at offset 0x14583 4980 bytes
SHA-256: 5d7d34c425b6bab2bb07d4ce1888662343f89fe8e5cdd1c7ddf331e720075cc9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_05_cff_off00018c58.bin pdf-font-stream PDF embedded font (cff) at offset 0x18C58 695 bytes
SHA-256: c0bcc76c0c443637c58b8fa95dfb9fc3095c30e1da8fbeef908115f71bc4576c
polyglot_child_pdf_off00034c00.pdf polyglot-child-pdf Secondary PDF body inside ole container at offset 0x34C00 463872 bytes
SHA-256: 488575a6ec8a3182dbd648f3d592dbcf8490ff1bbb40f36b9faaebdf1c4de64c