Malicious Office (OLE) / .XLSX — malware analysis report

Static analysis result for SHA-256 fa3a1cb12f491391…

MALICIOUS

Office (OLE) / .XLSX

870.0 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 19356d9311743314b3f1e02f6291cc14 SHA-1: 84f5772ad3dba3531c46665404aee1968b2715a4 SHA-256: fa3a1cb12f4913916856a09b79153c7013cfa7ad13e7be8ce55aea572b172892
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell T1204 User Execution

The primary heuristic indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to download a remote payload from the URL 'https://keraskale.me/hmxSt4?&stopsign=abundant&harm=rambunctious&netball=shiny&database=periodic&mime=level&celsius=drab&hacienda=lucky&coffin'. The embedded PDF, which appears to be an image-only lure, further suggests a social engineering tactic to trick the user into interacting with the malicious content. No VBA macros were found to be executable, but the presence of the OLE exploit and the PDF lure strongly indicate a malicious intent to download and execute further stages.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
polyglot_child_pdf_off00000e00.pdf
a76179729e52bee5eee637e69e862623d7c468895c77d3a599cbe31ce57ccaec		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0xE00 887296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.