Office (OLE) / .XLS malware analysis — malicious · fecf4673d0a0e5a9

MALICIOUS

Office (OLE) / .XLS

1.86 MB Created: 2006-09-16 00:00:00 Authoring application: Microsoft Excel

MD5: b5ceeb11106449b9246ec02d26c6444e SHA-1: 5c026053912e223b0cb15aefbcae1dc54cc7dc50 SHA-256: fecf4673d0a0e5a9a1d7b0ef9af44c5cb91b43a33f5e28f3bfa960a7a879d93d

108 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.005 Visual Basic

The critical heuristic firing indicates exploitation of CVE-2017-0199 via an OLE2Link object, which attempts to load a remote URL. The embedded PDF also contains suspicious static findings. The VBA macros are present but do not contain executable statements, suggesting they are not the primary execution vector. The primary IOC is the URL used for the remote payload download.

Heuristics 3

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.

URL https://peprolinbot.es/EjLiyS
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.

URL https://arpo-sa.com/
VBA project contains no executable statements low OLE_VBA_MACROS

Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1206 bytes
`font_00_sfnt_off000010ab.bin` `41c2901ebda5b5d79d4a68e71278578ac4fe004bea942385b0ed0c502c07b584`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10AB	88240 bytes
`polyglot_child_pdf_off00136a00.pdf` `5760cb0143ad231e9543c733875eca19a3b3903fa00f319dae475d37a8470d3c`	polyglot-child-pdf	Secondary PDF body inside ole container at offset 0x136A00	678912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.