MALICIOUS
70
Risk Score
Heuristics 4
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA project inside OOXML medium OOXML_VBADocument contains a VBA project — VBA macros present
-
External hyperlinks (175) low OOXML_EXTERNAL_HYPERLINKSDocument contains 175 external hyperlinks — clickable URLs are stored as external relationships. First target: https://paper.seebug.org/1044/
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://paper.seebug.org/shiro-rememberme-1-2-4/ Document hyperlink
- https://github.com/wyzxxz/shiro_rceIn document text (OOXML body / shared strings)
- http://1234567890.test.ceye.ioIn document text (OOXML body / shared strings)
- https://www.anquanke.com/post/id/193165Document hyperlink
- http://www.oniont.cn/index.php/archives/298.htmlDocument hyperlink
- https://github.com/wuppp/shiro_rce_expIn document text (OOXML body / shared strings)
- https://blog.riskivy.com/shiro-%e6%9d%83%e9%99%90%e7%bb%95%e8%bf%87%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90%ef%bc%88cve-2020-1957%ef%bc%89/In document text (OOXML body / shared strings)
- https://blog.riskivy.com/%e6%97%a0%e6%8d%9f%e6%a3%80%e6%b5%8bfastjson-dos%e6%bc%8f%e6%b4%9e%e4%bb%a5%e5%8f%8a%e7%9b%b2%e5%8c%ba%e5%88%86fastjson%e4%b8%8ejackson%e7%bb%84%e4%bb%b6/In document text (OOXML body / shared strings)
- https://www.anquanke.com/post/id/181874Document hyperlink
- https://github.com/CaijiOrz/fastjson-1.2.47-RCEDocument hyperlink
- https://www.freebuf.com/column/207439.htmlDocument hyperlink
- https://github.com/alibaba/fastjson/blob/master/src/main/java/com/alibaba/fastjson/support/spring/GenericFastJsonRedisSerializer.javaIn document text (OOXML body / shared strings)
- https://github.com/threedr3am/learnjavabug/tree/master/jackson/src/main/java/com/threedr3am/bug/jacksonIn document text (OOXML body / shared strings)
- https://www.angelwhu.com/paper/2016/03/15/xstream-deserialization-component-attack-analysis/#0x04-Jenkins������������������In document text (OOXML body / shared strings)
- https://github.com/TheTwitchy/xxerIn document text (OOXML body / shared strings)
- https://www.freebuf.com/vuls/215218.htmlDocument hyperlink
- https://github.com/beanshell/beanshellDocument hyperlink
- http://beanshell.org/manual/quickstart.html#The_BeanShell_GUIIn document text (OOXML body / shared strings)
- https://github.com/myzing00/Vulnerability-analysis/tree/master/0917/weaver-oa/CNVD-2019-32204In document text (OOXML body / shared strings)
- https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1In document text (OOXML body / shared strings)
- https://weaversrc.vulbox.com/In document text (OOXML body / shared strings)
- https://github.com/orleven/Tentacle/blob/6e1cecd52b10526c4851a26249339367101b3ca2/script/ecology/ecology8_mobile_sql_inject.pyDocument hyperlink
- https://github.com/jas502n/DBconfigReaderDocument hyperlink
- https://github.com/taomujian/linbing/blob/master/flask/app/plugins/Weaver%20Ecology%20OA/Weaver_Ecology_Oa_Config.pyIn document text (OOXML body / shared strings)
- https://github.com/leezp/note/blob/c28f7b232ad5f0ff7ccc672bbedcd34e9e3cca86/20200313%E9%80%9A%E8%BE%BEOA/readme.mdIn document text (OOXML body / shared strings)
- https://www.zrools.org/2020/04/23/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-%E9%80%9A%E8%BE%BEOA-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E%EF%BC%88%E5%8C%BF%E5%90%8DRCE%EF%BC%89%E5%88%86%E6%9E%90/In document text (OOXML body / shared strings)
- https://github.com/NS-Sp4ce/TongDaOA-Fake-UserDocument hyperlink
- https://github.com/zrools/tools/blob/master/python/tongda_v11.4_rce_exp.pyIn document text (OOXML body / shared strings)
- https://vas.riskivy.com/vuln-detail?id=33In document text (OOXML body / shared strings)
- http://wyb0.com/posts/2019/seeyon-htmlofficeservlet-getshell/Document hyperlink
- https://github.com/timwhitez/seeyon-OA-A8-GetShellIn document text (OOXML body / shared strings)
- https://landgrey.me/blog/8/Document hyperlink
- https://seeyoon.com/seeyonreport/ReportServer?op=fs_load&cmd=fs_signin&_=1560911828892In document text (OOXML body / shared strings)
- http://foreversong.cn/archives/1378Document hyperlink
- https://github.com/chaitin/xray/blob/master/pocs/finereport-directory-traversal.ymlIn document text (OOXML body / shared strings)
- https://shop.finereport.com/plugin/2d36b210-2a59-4940-8c4f-f3f16d58cd66In document text (OOXML body / shared strings)
- http://shopps.finereport.com/com.fr.plugin.external-1.3.4.zip?e=1561433162&token=GYG9vMioxqbEgx-5HoAMAelD0zGdUrXT4UZ3w-d1:N-PeIkhKkjCY7LHdqelnSvp_LmA=Document hyperlink
- https://xxxx/seeyonreport/ReportServer?op=imIn document text (OOXML body / shared strings)
- http://127.0.0.1:18080/smartbi/vision/config.jspIn document text (OOXML body / shared strings)
- http://127.0.0.1:18080/smartbi/vision/chooser.jsp?key=CONFIG_FILE_DIR&root=C%3A%2FIn document text (OOXML body / shared strings)
- https://xxxxxxxxxxx/In document text (OOXML body / shared strings)
- https://www.uedbox.com/post/31092/Document hyperlink
- https://blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html?m=1Document hyperlink
- https://github.com/milo2012/CVE-2018-13379In document text (OOXML body / shared strings)
- https://github.com/milo2012/CVE-2018-13382In document text (OOXML body / shared strings)
- https://xxxxxx:10443/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websessionIn document text (OOXML body / shared strings)
- https://xxxxxxxx:10443/remote/fgt_lang?lang=/../../../../////////////////////////bin/sslvpndIn document text (OOXML body / shared strings)
- https://xxxxx:10443/sslvpn/js/login.js?q=5f9a6877fd1f78da768239aae6e739c2In document text (OOXML body / shared strings)
- https://www.anquanke.com/post/id/185773In document text (OOXML body / shared strings)
- https://github.com/projectzeroindia/CVE-2019-11510In document text (OOXML body / shared strings)
+153 more URL(s)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
vbaProject_00.bin |
vba-project | OOXML VBA project: word/vbaProject.bin | 22016 bytes |
SHA-256: a70aa8c6db61711ba128ab4e748323df0072aa4f58bb0c595c8d14e91b0e0ea1 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.