MALICIOUS
70
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.005 Visual Basic
The critical heuristic firing indicates exploitation of CVE-2017-0199, which is used to download and execute a remote loader from the URL 'https://peprolinbot.es/pfB8HR?&croup'. Although the VBA macros themselves contain no executable statements, the presence of the CVE exploit suggests the primary function of this file is to act as a dropper for a secondary malicious payload. The file is an Excel spreadsheet, and the exploit is commonly associated with macro-enabled documents.
Heuristics 3
-
OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
-
VBA project contains no executable statements low OLE_VBA_MACROSDocument contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://peprolinbot.es/pfB8HR?&croup
- http://schemas.microsoft.com/office/2006/metadata/longProperties
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://schemas.openxmlformats.org/officeDocument/2006/customXml
- http://schemas.microsoft.com/office/2006/metadata/contentType
- http://schemas.microsoft.com/office/2006/metadata/properties/metaAttributes
- http://schemas.microsoft.com/office/2006/metadata/properties
- http://www.w3.org/2001/XMLSchema
- http://schemas.microsoft.com/sharepoint/v3
- http://schemas.microsoft.com/office/2006/documentManagement/types
- http://schemas.openxmlformats.org/package/2006/metadata/core-properties
- http://www.w3.org/2001/XMLSchema-instance
- http://purl.org/dc/terms/
- http://schemas.microsoft.com/office/internal/2005/internalDocumentation
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dc.xsd
- http://dublincore.org/schemas/xmls/qdc/2003/04/02/dcterms.xsd
- https://www.facebook.com/suppakit.chmailto:typethai@gmail.comThis
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas7f506327609c082af1cd37dde23bc2c71a000f7d1ef530b6abb66775040a7673 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1206 bytes |
stream_014_off0001517a.bin80c5ba4ef11eeaf89f78293c63f946fbe5dcd398df97b814fb14b3e6efc99505 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1517A | 50448 bytes |
stream_045_off000500fe.bince534ef5a4a8a608709b6e7feb9e852fb100b363324ded8bc5755d1458fad97f |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x500FE | 802458 bytes |
font_00_cff_off0000948d.binc519944e2651ed4561279107092e12cd4464e92ac4e5e432f215fd25c9797d05 |
pdf-font-stream | PDF embedded font (cff) at offset 0x948D | 4346 bytes |
font_01_cff_off0000a2e5.bin4d0d0b9961f8f5726523168be1c764290a7398f3e9644c489cacab207e8a3c29 |
pdf-font-stream | PDF embedded font (cff) at offset 0xA2E5 | 1292 bytes |
font_02_cff_off0001051e.bin34bb6e660995f03ad87d81639bccad2672ead9e244886b4db8d9ffbbbcb47fa6 |
pdf-font-stream | PDF embedded font (cff) at offset 0x1051E | 5161 bytes |
font_03_sfnt_off00021775.binb248f824f3d7a8576bc396826a4d898070c1420564f6ce6aa716aa8ad24f824a |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x21775 | 473880 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.