MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
The sample contains heuristics indicating it is related to CVE-2017-8759 and embeds an external OLE object pointing to a remote URL. This suggests the document is designed to exploit a vulnerability upon opening, likely to download and execute a secondary payload from the specified URL. The embedded URL is the primary indicator of compromise.
Heuristics 3
-
OOXML OLE2Link remote document — CVE-2017-8759 related high CVE_2017_8759_RELATEDDocument contains an o:OLEObject Type=Link whose external oleObject relationship fetches a remote Office-looking document. That is the OOXML OLE2Link staging shape used by CVE-2017-8759 campaigns when the remote document/WSDL supplies the SOAP moniker payload; the local file alone does not contain the WSDL body needed for an exact match.
-
External OLE object relationship high OOXML_EXTERNAL_OLE_OBJECTDocument contains an oleObject relationship whose target is an external HTTP(S) URL. Office resolves this through OLE/object update paths rather than as a normal user-clicked hyperlink.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/markup-compatibility/2006 In document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/relationshipsIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/officeDocument/2006/mathIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawingIn document text (OOXML body / shared strings)
- http://schemas.openxmlformats.org/wordprocessingml/2006/mainIn document text (OOXML body / shared strings)
- http://schemas.microsoft.com/office/word/2006/wordmlIn document text (OOXML body / shared strings)
- https://s3.amazonaws.com/rewqqq/SM.docIn document text (OOXML body / shared strings)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
emf_00.emf |
ooxml-emf | OOXML EMF part: word/media/image1.emf | 2508 bytes |
SHA-256: 388f051b3b9ab6ca47d08ed945005cfccab90f77f7024abaa52319c96c345218 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.