Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 fe09977e38f09360…

MALICIOUS

Office (OLE) / .XLS

1.24 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel
MD5: 19e275e7c20bd03c4bd378d2d2f47aab SHA-1: c5a0f4c32a7a60cb6c0a0669c08984040f00c7d2 SHA-256: fe09977e38f09360f469179619b223be78a4f8d23497de2e87191593ebf5b0b1
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic

The critical heuristic firing for CVE-2017-0199 indicates that this OLE file is designed to exploit this vulnerability to load a remote payload. The embedded URL 'https://curt.wiz.co/UHqJFUNDMm?&eyeglasses=spiritual&match' is highly suspicious and likely points to the location of this payload. Although the VBA macros themselves contain no executable statements, the presence of the CVE exploit and the embedded URL strongly suggest a downloader or dropper functionality.

Heuristics 4

  • OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199
    Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
  • ClamAV: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.Trojan-aa0b8f388d8573cd-aa0b8f388d8573cd-9950439-0
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.wowform.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
faef16cfc3b69e6dacc60198a7ccc61c4bb61c8632529929cd74db2189ccdc82		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 906 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.