Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fc4ca89197f05ac4…

MALICIOUS

Office (OLE) / .XLS

446.5 KB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 8360f6f56d84291ffcd2e0839f5a99cd SHA-1: 19b41742d6f353f7892f1874fce5267275208620 SHA-256: fc4ca89197f05ac4bea910a515aaa02d85e08ba6644a2ca6482b861f12e0d477
108 Risk Score

Malware Insights

MITRE ATT&CK
T1559.001 Component Object Model Hijacking T1204.002 Malicious File

The sample is an Excel file containing an embedded Equation Editor object, which is a known vector for exploiting vulnerabilities. Static analysis identified multiple embedded PDF files with suspicious findings, indicating a likely multi-stage attack. The presence of the Equation Editor object and the embedded PDFs strongly suggests an exploit attempt to deliver a malicious payload, likely a PDF-based exploit.

Heuristics 3

  • Equation Editor OLE object high CVE related OLE_EQUATION_EDITOR
    Contains Equation Editor object — related to CVE-2017-11882 / CVE-2018-0802 exploitation, but CLSID presence alone is not the malformed MTEF exploit primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 1206 bytes
ole10native_00.bin
3d120f62b8260b33bbe9233ab29ca7151cc566a7d8feb04192b03147d6c1af03		 ole-package OLE Ole10Native stream: MBD00BD089D/ole10NatIvE 2090 bytes
polyglot_child_pdf_off00001000.pdf
b30fc2a0166489302e125f2318d2df713c94836fd1b9b9012102c8d97b895c16		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x1000 453120 bytes
polyglot_child_pdf_off00018200.pdf
68193c03e81a0b1f542b907be0b89b30f953d63c881afe11a5f0883b0db0a0ec		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x18200 358400 bytes
polyglot_child_pdf_off00022e00.pdf
59192376fcb6597df62ee63461f06485433f3a6bec0176644919b1a9d0992056		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x22E00 314368 bytes
polyglot_child_pdf_off00039e00.pdf
7871466954f72998a741039d6bef53621bfd0910f7bdf0e9bb2e5c608ed98323		 polyglot-child-pdf Secondary PDF body inside ole container at offset 0x39E00 220160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.