Office (OLE) / .DOC malware analysis — malicious · 442e0a3d5a46516f

MALICIOUS

Office (OLE) / .DOC

6.0 KB First seen: 2022-07-05

MD5: 2457dd3885e0e0a89f0c130b4067a863 SHA-1: 6c50195368b240b223cbccee62f2120d918baa38 SHA-256: 442e0a3d5a46516f267ab8f8c7dd23e3958c6be1f84ab1d8cfe00365934c1339

62 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1059 Command and Scripting Interpreter T1059.001 Command and Scripting Interpreter: PowerShell

The sample exploits CVE-2017-0199, a known vulnerability in Microsoft Office, to download and execute a secondary payload from the provided URL. The embedded URL is the primary indicator of compromise, suggesting a downloader or initial access stage. No scripts were extracted, limiting further analysis of the payload's behavior.

Heuristics 2

OLE2Link / URL Moniker → remote loader — CVE-2017-0199 critical CVE likely CVE_2017_0199

Document contains an embedded OLE link object whose URL Moniker points to a remote URL. When the host file is opened, Office follows the link, downloads the URL, and processes the response based on its Content-Type (HTA -> mshta.exe, RTF → Word, etc.) — the documented CVE-2017-0199 primitive. The URL extension is not a reliable filter; servers can return different payloads to Office's user agent.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://192.227.168.194/500/invc_04.doc?&curio=unsightly&pocket-watch=psychotic&millisecond=roasted&level=nauseating&trash=toothsome&spray=garrulous&struggle=scrawny&slime=powerful&fob=mushy&chaise=real&metronome=nondescript&toga=zonked&pear=understood&ball=zany&typewriter=cuddly&witch-hunt=half&balaclava=tender&editorial=cooing&boundary=ignorant&panther=black&stress=alert&cheque=reminiscent&airplane=lean&representative=smiling&spend=rainy&divide=charming&tugboat=obedient&pantyhose=glib&spandex=toothsome&mother=fat&sad=rambunctious&node=null&crib=drab&guitarist=zealous&increase=misty&seat=lazy&rag=optimal&santa=light&question=woozy&cottage=resolute&comparison=tasty&employment=small&bacon=slippery&cricket=daily&lily=groovy&loincloth=foregoing&forebear=poised&loss=spiffy&tortellini=black&formal=comfortable&marsh=knowing&iran=plucky&soup=blushing&atrium=quizzical&dolman=swanky&pakistan=boring&mustard=sore&telescreen=burly&pond=gaudy&fiber=dizzy&sandwich=dashing&composer=rightful&seed=busy&doubter=resonant&eyelash=godly&pension=ratty&vacuum=teeny-tiny&schnitzel=jagged&locker=incandescent&fishnet=didactic&construction=spicy&garter=obeisant&purpose=knotty&maple=helpless&handle=gifted&twister=ordinary&cracker=gullible&right=cowardly&desert=cultured&mustard=square&town=changeable&dash=giddy&lab=modern&streetcar=embarrassed&importance=absorbed&turban=furtive&viscose=tangible&partridge=sulky&mall=highfalutin&birch=worried&overclocking=faded&shoe-horn=average&fanlight=painstaking&sofa=dynamic&turkey=real&lion=groovy&mustache=motionless&stacking=busy&inlay=discreet&siberian=cuddly&overclocking=majestic&cactus=red&presence=wary&cannon=sloppy&crown=husky&circulation=lucky&aftermath=beautiful&mansard=dry&macrame=piquant&batter=poor&sushi=maddening&vibe=ragged&regulation=sparkling&destiny=ugliest&tankful=dirty&sound=lamentable&asphalt=breezy&tour=tasteful&gene=splendid&candelabra=silent&peak=detailed&direction=garrulous&hallway=loving&cleric=aggressive&breakfast=worried

Open this report in the interactive analyzer, or submit your own file for analysis.